Silver IT
Making Computers Fun Again

🪲 Bug bounty

We offer monero (xmr) rewards for any issues with our site or infrastructure, from minor typos to root command execution. Bugs and vulnerabilities can be submitted anonymously using the form below, however providing an email is helpful if we need to follow up.


XMR Name Description
0.01 Typographical Any small spelling or grammar mistake
0.02 Content error More serious annoyances like duplicate paragraphs
0.05 Factual error Objective things that are simply untrue
0.03 Error message Any reproducible error message resulting from normal use of the service
2.0 Persistent XSS Any cross-site scripting attack that is saved on our server
3.0 Partial database or maildir Unauthorized access to data or emails
6.0 Complete database or maildir Unauthorized dump of all data or emails (paid per instance)
12.0 Unprivileged code execution Code execution as a non-root user on any of our servers
15.0 Privileged code execution Code execution as a root user on any of our servers

We do not pay extortionists to prevent leaks or unlock ransomware. That means the bounties above, modest though they may be, are the only reward available.

Finding a bug is not a guarantee of a payout. For example, ending an English sentence with a preposition is technically incorrect, but so common that we do it intentionally. Use of the word "data" as a singular noun is another example of a grammar error that we would not pay out due to its pettiness. That said, we have a strong incentive to compensate white-hats and will always pay for a non-trivial bug.

The list above is not comprehensive, so if you find a bug of a type not listed above, please send it anyway and we may negotiate a reward.

Permitted hacking activities

White-hats are welcome to perform any kind of recon and penetration except the attack types listed below. Yes, this is explicit written permission from the company for anyone anywhere to perform port scans, database injections, XSS attacks, or exploitation of software vulnerabilities. The only activities NOT allowed are:

Execution of any of these listed attack types will never result in a bounty reward and may result in prosecution of perpetrators.

Disclosure timeline

We observe a 90-day disclosure timeline, starting from our acknowledgment of the bug. This means, you must not publish or disseminate details of the exploit until we have time to fix it (90 days). After that period, the hacker is free to publish details of the exploit on their security blog or anywhere. Hackers disclosing details of their exploit before the closure of the 90-day window will not be eligible for a bounty and may be prosecuted. Hackers are never permitted to publish any sensitive data or intellectual property from the company or its users.

Previously-awarded bounties

All bounties are posted with the hacker's permission, so we may have paid out bounties not listed here.

(No bug bounties have been awarded yet)

Securely reporting a bug

So you've found a bug or vulnerability! Please responsibly disclose it using the form below. Any data entered in this form will be PGP-encrypted on the client-side before being submitted.

Uh-oh, you don't have javascript. This form won't work without it. Please send an email to instead. Be sure to include your monero address for a payout. You can encrypt your message using ki9's PGP key. Be sure to include your own pgp public key in case we need to reply.

Describe the bug:

Enter your monero primary address (for a payout):

This is a sha256 checksum of your bug description:

To receive a monero payout, open the Monero GUI and go to Advanced > Sign/verify. Paste the sha256 code above into the "Message" field and copy the "Signature" field. Then paste the signature below:

Your email (optional):

Your public pgp key (optional)

Check this box if you permit us to post some details about this bug (nothing about you) in the "Previously-awarded bounties" section above.