Bug Bounty Program


Enjoy vulnerability fishing, Get recognition for your catches, and DONATE to good causes! Found a security vulnerability related to Fishbrain? Please let us know.

We'll investigate your report quickly and get back to you. We donate to a non-profit organization in the name of each person who reports a valid vulnerability. And you'll get some Fishbrain goodies and have your name on our hall of fame!


All vulnerabilities categorized by Bugcrowd as P1 or P2 (other vulnerabilities cannot expect a response)

Out of Scope

Enumeration Bugs (unless they contain critical data)

Medium TLS-related issues


You should not perform

  • DoS/DDoS Attacks

  • BruteForce Attacks

  • Social Engineering

You should

  • Respect Fishbrain users' privacy. Finders should not access or destroy any user's data.

  • Be patient. Make a good faith effort to clarify and support our security team requests, if they have any.

  • Do no harm. Act for the common good when reporting all found vulnerabilities. Never publish them publicly without Fishbrain's permission

We should

  • Prioritize security. Do our best to resolve reported security issues promptly and transparently.

  • Respect vulnerability catchers. Give your public recognition for your findings.

  • Do no harm. Do not inflict harm or take unnecessary measures towards you, like making legal threats or reporting to law enforcement

Did you catch a vulnerability? Please make sure you follow the following steps

  • Make sure the vulnerability is directly related to Fishbrain. We will do our best to help you, but we can't be responsible for issues caused by third parties.

  • Report the vulnerability safely and discreetly. Get in touch with us as soon as you find a vulnerability, and ensure the details of the vulnerability stay secure and private.

  • Don't use the vulnerability to affect Fishbrain users negatively. If you've discovered a vulnerability that can negatively affect users, report it to us as soon as possible without testing it.

  • Please provide us with all the information you have. The more information you send us, the easier it is to verify the validity and urgency of your report. Different mediums, like videos and screenshots, can make the process easier and smoother.

  • Get in touch with Fishbrain's security team: security@fishbrain.com and use the public age key that can be found here.


As soon as we verify the vulnerability you reported, we'll make a donation to non-profit organizations in your name to help to make our planet a better place for both Anglers and Hackers. We'll also send you some of our branded goodies as a simple gratitude gift.