Security & Bug Bounty Program
We care deeply about protecting your words and your privacy. If you've found a bug in TextJam — whether it's a visual glitch or a serious vulnerability — thank you for helping us improve the product.
This page outlines how to report issues, what kinds of rewards we offer, and the rules for responsible disclosure.
How to Report a Security Issue
If you've discovered a security vulnerability, please email:
bugs@textjam.com
Include:
- A clear description of the issue
- Steps to reproduce it
- Any relevant screenshots or proof-of-concept code
If your report involves a vulnerability, please give us up to 30 days to resolve it before disclosing it publicly. We're committed to fixing things quickly — and we appreciate your patience and discretion.
If you act in good faith and follow these guidelines, we won't take legal action or involve law enforcement.
Security Bounty Rewards
We offer monetary rewards for valid, impactful security vulnerabilities — based on severity, reproducibility, and real-world impact.
| Severity | Example Issues | Reward (USD) |
|---|---|---|
| Low | Clickjacking, missing security headers, user existence disclosure, long-lived access tokens | $50 – $200 |
| Medium | CSRF with impact, limited XSS, weak cookie flags | $200 – $500 |
| High | Privilege escalation, broken access control, stored XSS | $500 – $1,000 |
| Critical | Remote code execution, full auth bypass, unauthorized access to full document contents | $1,500+ |
Bounty Eligibility
To qualify for a security bounty:
- You must be the first to report the issue
- The report must demonstrate a real, reproducible security impact
- You must provide clear steps to reproduce the issue
- Your testing must comply with the responsible disclosure rules listed on this page
We do not pay for:
- Duplicate or previously reported issues
- Reports without meaningful security impact
Responsible Disclosure Rules
To qualify for any reward, you must:
- Test only against accounts you own
- Avoid accessing or modifying real user data
- Never use phishing, social engineering, or spam
- Avoid disrupting or degrading the service
- Use manual testing or low-impact automated tools (no excessive scanning)
- Do not publicly disclose vulnerabilities for at least 30 days after reporting
We do not offer bounties for:
- Denial of service (DoS) or brute-force attacks
- Social engineering or phishing attempts
- Vulnerabilities that require physical device access
- Prompt injections to retrieve system prompts or avoid model safeguards
- Cosmetic/UI issues and typos
- Bugs in third-party services (e.g. Stripe, Google APIs)
Note: Viewing fields in your own JWT (e.g. email or role claims) or seeing intentionally public info like names or avatars does not qualify as unauthorized access.
If you encounter sensitive data during testing, stop immediately and report it.
By participating in our program, you agree to follow these rules.
Response Timeline
| Step | Target Time |
|---|---|
| Initial acknowledgment | Within 2 business days |
| Triage / impact review | Within 5 business days |
| Bounty payout (if any) | Within 10 business days |
| Fix window | Up to 30 days |
Reporting Regular (Non-Security) Bugs
If you've found a bug that isn't a security vulnerability — layout bugs, copy/paste problems, editor quirks — we still want to hear from you.
We may reward helpful, reproducible bug reports with one of the following:
- A free Word Pack
- A free Narration Pack
- A free Dictation Pack
- A free month of TextJam access
To report a regular bug, just email:
bugs@textjam.com
We read every message. Thanks for helping make TextJam better for everyone.
— The TextJam Team