Skip to content


The security of our systems is our top priority. We appreciate investigative work into system security carried out by ethical security researchers. If you discover a vulnerability, however small, we would like to know about it so we can address, as quickly as possible.

Reporting a vulnerability

Please email findings to

Responsible Disclosure

  • Do not take advantage of the vulnerability or problem you have discovered. For example only download data that is necessary to demonstrate the vulnerability - do not download any more. Also do not delete, modify, or view other people’s data.
  • Do not publish or reveal the problem until it has been resolved.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.

Our commitment

  • If you act in accordance with this policy, we will not take legal action against you in regard to your report.
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
  • We offer various bug bounties as compensation, depending on the severity of the exploit found.

In-scope domains

Val Town uses the following domains:

  • *

Subdomains of these domains are additionally in scope for the program.

Out of scope issues

  • Reports that target vulnerabilities on outdated or deprecated browsers, open source libraries, or infrastructure
  • Reports relating to missing security hardening headers
  • Reports from automated tools or scans
  • Our policies on presence/absence of SPF/DMARC/DKIM/CAA/BIMI records
  • Self-XSS or developer console code execution
  • Login/logout CSRF
  • Phishing or social engineering attacks
  • Brute force login attempts
  • Bugs on Vals themselves. Vals are user-controlled code and are not part of Val Town’s product surface
  • Violating any laws or breaching any agreements in order to discover vulnerabilities