Security researchers are welcome and free to toy around on and its subdomains with some restrictions. However, as is a private project with no commercial interest, I’m afraid I cannot pay huge bug bounty rewards even if you found and responsibly reported a vulnerability. Nontheless, I’d more than grateful if you share any findings (especially impacting the privacy of users) with me. Depending on the extent of the identified security issue, I’m willing to pay rewards ranging between 10€ and 100€. I’m hosting and all of its services, because I believe the world needs more privacy respecting services. If you find a vulnerability that undermindes the privacy/security of visitors of, you’ll be receiving a bug-bounty for sure. If you find a typo (or something along the severity of a typo) you’ll only be rewarded with a virtual cookie ¯\(ツ)/¯.

What you should not do

The following types of attacks must not be executed. I’m hosting the service on various vCPUs and deliberately decided not to utilize DoS protection services due to their (drastical) negative impact on privacy. Thus every kind of attack that makes takes a service out-of-operation (especially with brute force) must NOT be performed.

Non-exhaustive list allowed attacks

Reporting a vulnerability

Reports are accepted via electronic mail at Acceptable message formats are plain text, rich text, and HTML. I encourage you to encrypt submissions using our PGP public key when submitting vulnerabilities. You can find my PGP public key here.

In case you’d like to stay anonymous, I accept/encourage anonymous reports. But please keep in mind that in case you qualify for a bug bounty reward, I need payment details.


I’m committed to resolve your identified vulnerability as soon as timely possible. Feel free to write blog posts, videos or publish the vulnerability after 2 weeks. In any case, do not publish sensible data, or identities of users. Every user of MUST have the right for privacy. Don’ steal it from them!