Researchers are only paid for their work when they find vulnerabilities. Often, this means working for many hours without pay.
Prompt acknowledgement and regular communication shows appreciation for the time and effort researchers have put into reporting security vulnerabilities and encourages them to continue focusing on your application.
Our 72 hour policy
Please respond to new reports within 72 hours and provide an update to researchers every 72 hours thereafter.
The first response should be an acknowledgement of the report. Subsequent updates can be short, but should communicate the status of the report and any potential award.