Security & Bug Bounty Program

Effective for all bug reports received from April 30, 2026 onward. Prior Policy

We care deeply about protecting your words and your privacy. If you've found a bug in TextJam — whether it's a visual glitch or a serious vulnerability — thank you for helping us improve the product.

This page outlines how to report issues, what kinds of rewards we offer, and the rules for responsible disclosure.

How to Report a Security Issue

If you've discovered a security vulnerability, please email:

bugs@textjam.com

Include:

A clear description of the issue
Steps to reproduce it
Any relevant screenshots or proof-of-concept code

If your report involves a vulnerability, please give us up to 60 days to resolve it before disclosing it publicly. We're committed to fixing things quickly — and we appreciate your patience and discretion.

If you act in good faith and follow these guidelines, we won't take legal action or involve law enforcement.

Security Bounty Rewards

We offer monetary rewards for valid, impactful security vulnerabilities — based on severity, reproducibility, and real-world impact.

Severity	Example Issues	Reward (USD)
Low	Clickjacking, user existence disclosure	$50 – $200
Medium	CSRF with impact, weak cookie flags	$200 – $500
High	Privilege escalation, broken access control, XSS with executed code	$500 – $1,000
Critical	Remote code execution, full auth bypass, unauthorized access to full document contents	$1,500+

Bounty Eligibility

To qualify for a security bounty:

You must be the first to report the issue
The report must demonstrate a real, reproducible security impact
You must provide clear steps to reproduce the issue
Your testing must comply with the responsible disclosure rules listed on this page

We do not pay for:

Duplicate or previously reported issues
Reports without meaningful security impact

Out of Scope

We do not offer bounties for:

Denial of service (DoS) or brute-force attacks
Social engineering or phishing attempts
Attacks requiring physical access to or theft of someone else's device
Prompt injections to retrieve system prompts / details or avoid model safeguards
Non-critical CSP headers omitted, or CSP exemptions required for site operation
Missing DNSSEC / DS records (not adopted by google.com, github.com, or other major sites)
Profile picture, name, or email visible to document collaborators (like Google Docs)
Unenforced usage limits (e.g. rate limits, quota caps, free-tier ceilings)
Long-lived login tokens (by design)
500 errors from probing endpoints with invalid inputs
Bugs in third-party services (e.g. Stripe, Google APIs)
Cosmetic/UI issues and typos

Note: Viewing fields in your own JWT (e.g. email or role claims) or seeing intentionally public info like names or avatars does not qualify as unauthorized access.

Responsible Disclosure Rules

To qualify for any reward, you must:

Test only against accounts you own
Avoid accessing or modifying real user data
Never use phishing, social engineering, or spam
Avoid disrupting or degrading the service
Use manual testing or low-impact automated tools (no excessive scanning)
Do not publicly disclose vulnerabilities for at least 60 days after reporting

If you encounter sensitive data during testing, stop immediately and report it.

By participating in our program, you agree to follow these rules.

Response Timeline

Step	Target Time
Initial acknowledgment	< 1 week
Triage / impact review	< 2 weeks
Bounty payout (if any)	< 30 days
Fix window	< 60 days

Reporting Regular (Non-Security) Bugs

If you've found a bug that isn't a security vulnerability — layout bugs, copy/paste problems, editor quirks — we still want to hear from you.

We may reward helpful, reproducible bug reports with one of the following:

A free Word Pack
A free Narration Pack
A free Dictation Pack
A free month of TextJam access

To report a regular bug, just email:

bugs@textjam.com

We read every message. Thanks for helping make TextJam better for everyone.

— The TextJam Team

Prior policy versions: September 15, 2025 to April 29, 2026.