Reporting Security Vulnerabilites

At Thanks Ben, we take the security of our platform and our customers' data seriously. We run a paid bug bounty programme and reward researchers who identify and responsibly disclose valid vulnerabilities. Our PGP key and security.txt are in the standard location, but we ask researchers to use the form below.

Report a vulnerability

What's in scope

Our production app - ben.thanksben.com and subdomains
Our API - api.thanksben.com and documented endpoints
Mobile apps - iOS and Android, official app store versions
Marketing site - thanksben.com, high-severity issues only

We're especially interested in: authentication bypass, cross-tenant data access, privilege escalation, remote code execution, SSRF with real impact, stored XSS, injection flaws, and insecure direct object references.

What you need to do

Show us the exploit.

Reconnaissance alone doesn't qualify - we need a proof of concept that demonstrates real impact.

Report through a legitimate channel.

Use our HackerOne form. One vulnerability per report unless you're chaining.

Keep it confidential.

Don't disclose until we've had the chance to fix it. We support coordinated disclosure and will agree a timeline with you.

Use your own accounts.

Don't access, modify, or delete other users' data. If you're a customer and find something through normal use, we especially want to know.

What you can't do

No degrading our service.

No DoS/DDoS, no high-volume automated scanning against production. Show deficiencies through a well-targeted test, not a flood.

No social engineering or physical testing.

Don't target our staff, and don't create accounts specifically for security testing.

No configuration opinions.

Missing headers, SPF/DMARC preferences, cookie flags, etc. aren't vulnerabilities without a demonstrated exploit path

No low-impact standalone findings.

Clickjacking on non-sensitive pages, self-XSS, host header injection, and open redirects don't qualify on their own. Chain them into real impact and we want to see it.

What we pay

Rewards are at Ben’s discretion based on severity and report quality, and range from £50 to £5,000. We aim to pay within 14 days of validation.

We'll keep you updated throughout. We won't always agree on severity, and some reports may be closed as informational or known issues - when that happens, we'll explain why.

Safe harbour

If you follow these guidelines, we will not pursue legal action against you or ask law enforcement to investigate your activities. We consider research conducted in good faith and in accordance with this policy to be authorised.

If you inadvertently access data you shouldn't have, stop immediately, don't retain or share it, and tell us what happened. We'll work with you in good faith.

A note on report quality

We have a lean security team. We prioritise our time for researchers who prioritise theirs.

Reports that paste scanner output, link to a generic advisory, or describe a theoretical risk without demonstrating exploitability will be closed without review. Templated submissions that read like they were sent to fifty programmes simultaneously will be closed. Researchers who repeatedly submit low-quality or out-of-scope reports may be excluded.

If you've done the work to find and verify a real vulnerability - we want to hear from you, and we'll make it worth your time.

‍

Featured

Most popular