Contact: mailto:security@brid.gy
Expires: 2030-01-01T08:00:00.000Z
Preferred-Languages: en
Canonical: https://fed.brid.gy/.well-known/security.txt
Policy: https://fed.brid.gy/docs#vulnerability

Thank you for investigating Bridgy Fed's security! We appreciate any and all reports of vulnerabilities. The code is open source (https://github.com/snarfed/bridgy-fed), feel free to try to break in, let us know if you succeed!

A few guidelines for your report to qualify for a monetary reward:

* Vulnerabilities must be in the application itself, not unrelated services like email (eg SPF/DKIM/DMARC).
* Out of scope: rate limiting, XSS/CSRF attacks (Bridgy Fed has no authenticated sessions or private data accessible to users).
* Public user data is intentionally public. That's not a vulnerability.
* No automated fuzzing, DoSes, or other high volume traffic. We block this traffic, and it will disqualify you from any possible award.