A no-bounty vulnerability disclosure policy for small SaaS teams.

Use this when researchers email vague vulnerability claims and you need clear scope, rules, and expectations.

Get the policy template

Includes no-bounty language, in-scope/out-of-scope examples, report format, and a triage reply.

Submitting a report does not create an expectation of payment, reward, employment, or compensation.