# Vulnerability Disclosure Policy
Found a vulnerability in our systems? Fill out this form[ here](https://airtable.com/shrXdAN3UVdIznmOe). You'll hear back from us within two weeks at the absolute latest, and we'll let you know:
* If it's been reported previously,
* Whether or not we think it's a valid issue,
* And if it's eligible for a reward.
## Security Guidelines
Please read and follow these guidelines prior to sending in any reports.
1\. **Do not report similar issues or variations of the same issue in different reports.** Please report any similar issues in a single report. It's better for both parties to have this information in one place where we can evaluate it all together. Please note any and all areas where your vulnerability might be relevant. You will not be penalized or receive a lower reward for streamlining your report in one place vs. spreading it across different areas.
2\. **Only the following domains are eligible for our bounty program:**
* (Web app)
3\. **Please be patient with us after sending in your report.** We’d appreciate it if you avoid messaging us to ask about the status of your report. Our team will get back to you as quickly as we are able. It is okay to inquire about the status of your report if you haven’t heard from us 2 weeks after sending it in. Otherwise, we ask that you please wait patiently for us to contact you, unless you have more information relevant to the vulnerability that you’d like to share.
## Performing your research
* Do not impact users with your testing. All tests must be conducted in a Tability workspace that you own, and in such a way that it does not harm users, or break their experience.
* Do not spam comments in our feedback or support channels.
* Do not attempt to gather personally identifying information from other users.
## Exclusions
While researching, we’d like you to refrain from doing the following actions:
* Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks.
* Spamming.
* Automated penetration tests or vulnerability scans.
* Social engineering or phishing of Tability employees or contractors.
* Any attacks against Tability’s physical property or data centers.
We may suspend your Tability account and ban your IP address if you do any of the actions listed above.
## Vulnerability Assessment and Reward
Vulnerabilities are assessed via[ Bugcrowd's taxonomy rating](https://bugcrowd.com/vulnerability-rating-taxonomy) and our judgment. We strive to be honest, fair, and reasonable based on the size of our current overall operating budget. We pay out the following rewards for the corresponding vulnerability levels:
* P5 ($0)
* P4 ($0)
* P3 ($25 USD)
* P2 ($50 USD)
* P1 ($75 USD)
Please note that if you report several similar issues or variations of the same issue in different reports, we may aggregate these together for a single reward. In these instances, we ask that you try to provide all examples in a single report rather than writing multiple reports (e.g. report all affected endpoints in one issue.)
We issue payments via Paypal, and you are solely responsible for any applicable taxes, withholding or otherwise.
## Contact
You can contact our Security Team via email at .
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://guides.tability.io/legals/vulnerability-disclosure-policy.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.