We ask that vulnerabilities are reported direct to operations in exchange for a bounty payment, dependent on the severity and nature of the vulnerability reported. We ask that a responsible disclosure process is followed allowing at least 90 days to address new vulnerabilities from the day that the vulnerability is confirmed.