Bug Bounty Program

We value the security and functionality of our platform and appreciate the community's help in identifying issues. Our bug bounty program rewards users who responsibly report bugs that affect the functionality, security, or user experience of Outfox Stories.

Reward

US$20 cash for each valid bug report. Payment will be made within 30 days of bug verification.

Eligible Bugs

We're interested in bugs that impact:

• Security vulnerabilities - XSS, SQL injection, authentication bypass, data exposure, etc.
• Functional bugs - Features that don't work as intended or prevent normal use of the site. We especially want to hear about these!
• UI/UX issues - Broken layouts, confusing interactions, or things that just feel dumb. We especially want to hear about these too!
• Data integrity issues - Data loss, corruption, or incorrect calculations
• Payment processing errors - Issues with subscriptions, support payments, or billing
• Performance issues - Severe slowdowns or crashes that affect user experience

What Does NOT Qualify

Bounties are for actionable changes that improve the platform. The following are not eligible:

• Missing optional HTTP headers or other informational-only findings that don't represent a real risk
• Reports from automated scanners submitted without verification or analysis
• Theoretical vulnerabilities with no practical exploit or user impact
• Minor cosmetic issues like typos or trivial styling differences
• Bugs in third-party services or libraries unless they directly impact our platform

How to Report

To submit a bug report:

1. Email your report to support@outfoxstories.com with subject line "Bug Report"
2. Include a clear description of the bug and its impact
3. Provide detailed steps to reproduce the issue
4. Attach screenshots or screen recordings if applicable
5. Include your browser version, operating system, and device type
6. If reporting a security vulnerability, please do not disclose it publicly

Program Terms

• Bounties are only paid for the first report of a given issue. Duplicate reports of known bugs are not eligible
• Low-effort or vague reports may be dismissed without a bounty. A good report includes clear reproduction steps and a description of the actual vs. expected behavior
• Bugs must be previously unknown to our team
• You must not exploit the bug for personal gain or to harm other users
• Do not perform any attack that could harm the reliability or integrity of our services
• Do not access or modify other users' data without permission
• We reserve the right to determine bug validity and reward eligibility

Responsible Disclosure

We ask that you give us reasonable time to address the issue before making any information public. We aim to resolve critical security issues within 48 hours and other bugs within 7-14 days, depending on severity.

Questions?