We welcome reports of real security vulnerabilities that could affect Amplenote users or our systems. Bounties are only paid for issues that represent a genuine security risk and can be verified by our team. Reports can be sent via email to support@amplenote.com.
linkWhat Qualifies for a Bounty
A report is eligible for a payout only if all of the following are true:
It describes an actual security vulnerability
The issue is clearly explained with enough detail to test
The vulnerability is reproducible
It affects Amplenote production systems or user data
It is reported in good faith and through responsible disclosure
All reports are reviewed case-by-case. Submitting a report does not guarantee a payout.
linkWhat Does Not Qualify for a Bounty
We do not pay bounties for:
Reports that cannot be reproduced
Reports that do not describe a security issue
General security/standards advice or best-practice suggestions
Theoretical issues with no demonstrable impact
Duplicate or previously reported vulnerabilities
Automated scan output without a proven, working exploit
Issues affecting third-party services, user devices, or out-of-scope systems
Social engineering, phishing, or physical attacks
Cosmetic, UI, or purely informational findings
linkReward Decisions
If a report qualifies, the bounty amount is determined based on:
Severity and impact
How easy the issue is to exploit
Risk to users or data
All payments are made at our discretion.
linkResponsible Disclosure Rules
By submitting a report, you agree to:
Avoid accessing or altering user data beyond what’s needed to prove the issue
Avoid disrupting service
Not publicly disclose the issue before it is fixed
Give us reasonable time to investigate and respond
Breaking these rules may result in no payout and/or ineligibility for future payouts.
linkLegal Boundaries Still Apply
This program does not give permission to break the law, violate terms of service, or test systems outside scope. All testing must stay within legal and ethical limits.