1. The promise
If you find a real security vulnerability in Alllinks, tell us — and we'll thank you with money, public credit, and a fix that protects every user of the platform. We never threaten or sue legitimate researchers, and we work in good faith with anyone who works in good faith with us.
Safe harbour
Research conducted under this policy is considered authorised under the U.S. Computer Fraud and Abuse Act and similar laws. We will not initiate or support legal action against researchers who respect these rules.
2. Scope
In scope:
alllinks.ccand all subdomains used for the production platform.- Public profile pages and custom-domain pages.
- The dashboard and the public APIs.
- Mobile apps (iOS, Android) — once published.
Out of scope:
- Third-party services we use (Paddle checkout, Stripe, embeds from YouTube/Spotify/etc.) — report those directly to the vendor.
- Vulnerabilities in older browsers we no longer support.
- Theoretical or low-impact issues with no practical exploit (e.g. self-XSS, clickjacking on pages without sensitive actions, CSP suggestions without a real bypass).
- Rate limiting and brute-force tests against production — please don't.
- Social engineering of our team, vendors or customers. Physical attacks. DDoS.
3. Rewards
Rewards are set by severity, exploitability and the quality of the report. Ranges are guidance, not a contract — we go higher than the band for exceptional reports.
- Critical (account takeover, RCE, data exfiltration affecting many users): up to USD 5,000.
- High (auth bypass on one account, payment manipulation, stored XSS with significant impact): USD 750–2,500.
- Medium (CSRF on sensitive actions, IDOR with limited impact, reflected XSS): USD 200–750.
- Low (security misconfiguration, info leaks without real exposure): a thank-you, public credit, and Alllinks swag.
4. How to report
Email a clear write-up to security@alllinks.cc with subject Vuln report — [short title]. A good report includes:
- Affected URL or endpoint.
- Step-by-step reproduction (curl commands, request headers, browser steps).
- A proof-of-concept video or screenshot if it helps.
- Estimated impact and your suggested severity.
- Whether you'd like public credit, and the name to credit.
If your finding involves data of other users, please stop at the proof of concept — don't access more than necessary.
5. Disclosure
We aim to triage every report within 72 hours, fix critical issues within 30 days, and publish a coordinated disclosure (with credit to you, if you want it) within 90 days of the fix shipping.
6. Eligibility
- You must be the first person to report the issue.
- You must not be a current Alllinks employee or contractor, or an immediate family member of one.
- You must comply with sanctions and export-control laws applicable to receiving the reward.
7. Hall of fame
With your permission we list every contributor on our internal Hall of Fame page (linked from the Transparency Report). The list is updated quarterly.