Top Shot was built from the ground up with security in mind. Our code, infrastructure, and development methodology helps us keep our users safe.
We really appreciate the community's help. Responsible disclosure of vulnerabilities helps to maintain the security and privacy of everyone.
If you care about making a difference, please follow the guidelines below.
Guidelines for Responsible Disclosure
We ask that all researchers adhere to these guidelines
Rules of Engagement
- Make every effort to avoid unauthorized access, use, and disclosure of personal information.
- Avoid actions which could impact user experience, disrupt production systems, change, or destroy data during security testing.
- Don’t perform any attack that is intended to cause Denial of Service to the network, hosts, or services on any port or using any protocol.
- Use our provided communication channels to securely report vulnerability information to us.
- Keep information about any bug or vulnerability you discover confidential between us until we publicly disclose it.
- Please don’t use scanners to crawl us and hammer endpoints. They’re noisy and we already do this. If you find anything this way, we have likely already identified it.
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
In Scope URIs
Be careful that you're looking at domains and systems that belong to us and not someone else. When in doubt, please ask us. Maybe ask us anyway.
Bottom line, we suggest that you limit your testing to infrastructure that is clearly ours.
Out of Scope URIs
The following base URIs are expliticly out of scope:
Things Not To Do
In the interests of your safety, our safety, and for our customers, the following test types are prohibited:
- Physical testing such as office and data-centre access (e.g. open doors, tailgating, card reader attacks, physically destructive testing)
- Social engineering (e.g. phishing, vishing)
- Testing of applications or systems NOT covered by the ‘In Scope’ section, or that are explicitly out of scope.
- Network level Denial of Service (DoS/DDoS) attacks
In the interests of protecting privacy, we never want to receive:
- Personally identifiable information (PII)
- Payment card data (e.g. credit card numbers)
- Financial information (e.g. bank records)
- Health or medical information
- Accessed or cracked credentials in cleartext
Our Commitment To You
If you follow these guidelines when researching and reporting an issue to us, we commit to:
- Not send lawyers after you related to your research under this policy;
- Work with you to understand and resolve any issues within a reasonable timeframe, including an initial confirmation of your report within 72 hours of submission; and
- At a minimum, we will recognize your contribution in our Disclosure Acknowledgements if you are the first to report the issue and we make a code or configuration change based on the issue.
We're happy to acknowledge contributors. Security acknowledgements can be found here.
We run closed bug bounty programs, but beyond that we also pay out rewards, once per eligible bug, to the first responsibly disclosing third party. Rewards are based on the seriousness of the bug, but the minimum is $100 and we have and are willing to pay $5,000 or more at our sole discretion.
To qualify, the bug must fall within our scope and rules and meet the following criteria:
- Previously unknown - When reported, we must not have already known of the issue, either by internal discovery or separate disclosure.
- Material impact - Demonstrable exploitability where, if exploited, the bug would materially affect the confidentiality, integrity, or availability of our services.
- Requires action - The bug requires some mitigation. It is both valid and actionable.
Rewards are limited to a maximum of $1M of rewards per person or organization within any 12 consecutive months) at our sole discretion
Report Security Findings To Us
Reports are welcome! Please definitely reach out to us at if you have a security concern.
We encourage you to encrypt the information you send us by using our PGP key at OpenPGP Key Server
Please include the following details with your report:
- A description of the location and potential impact of the finding(s);
- A detailed description of the steps required to reproduce the issue; and
- Any POC scripts, screenshots, and compressed screen captures, where feasible.