We appreciate your interest in submitting an issue through the Artsy Bounty Program. If you haven't already, please take a moment to review the terms and conditions of participating in the program at artsy.net/security.

Out of respect for your time and ours, please ensure that your issue qualifies and is not already a known issue before submitting.

Examples of unqualified reports include:

- Issues related to software or protocols not under our control, such as domains or applications that resemble Artsy, or use one of our APIs, but are not managed by Artsy.
- Issues with functionality that is in-development, experimental, or released in a "beta" stage. This includes our staging review applications.
- Disclosure of public information or information that in our opinion does not present a significant risk.

Examples of know issues include:

- Username or email enumeration through login or password reset, known as #78330000.
- Mobile number enumeration, known as #84944560.
- Unverified email addresses and the ability to pretend to be someone else. We consider both individual names and email addresses to be user data and don't have the concept of verified accounts. This is tracked as #78152068.
- We've rolled out SSL + HSTS almost everywhere. A handful of services have not yet been updated, which is known as #80962976.

Please refer to artsy.net/security for the complete list.