Rules
Test carefully, prove impact, leave the service intact.
These rules apply to every VibeBounty program unless a program page gives stricter instructions. When in doubt, choose the least invasive proof.
Allowed research
Manual verification
Validate issues by hand and collect only the evidence needed to show the vulnerability exists.
Your own accounts
Create test accounts when permitted and avoid touching accounts, records, or data that belong to others.
Low-volume testing
Keep requests reasonable. Do not load test, brute force, or run broad automated scans unless the program explicitly allows it.
Not allowed
Data exfiltration
Do not download, alter, delete, or disclose user data beyond the minimum proof required.
Service disruption
Denial of service, spam, credential stuffing, payment abuse, and destructive testing are prohibited.
Social engineering
Do not phish, impersonate staff, contact customers, or pressure support teams as part of testing.
Persistence
Do not install shells, backdoors, scheduled jobs, rogue users, or hidden access paths.
Public disclosure before resolution
Give the developer time to fix accepted reports before publishing details.
AI-only reports
Submissions must be tested. Prompted guesses, scanner lists, and copied writeups are not valid reports.
If you accidentally access sensitive data, stop testing, do not copy more, and include only a minimal redacted sample in your report.