I found a security vulnerability in your site. How does your bounty system work?

We’re concerned about the security of our site for ourselves, our models, and our customers.

If you discover an exploit or vulnerability in gmbill.com or a related non-WordPress site, or one of our internal applications, we encourage you to let us know right away. We will investigate all reasonable reports, and do our best to quickly fix the problem.

Responsible Disclosure Policy

Taking a cue from Google and other large tech companies, we have a simple “Responsible Disclosure Policy”, which must be observed when reporting an exploit or vulnerability. If you follow these points, we won’t get our lawyers involved.

  • You give us reasonable time to investigate, before making your findings public
  • You do not use the exploit to take unauthorised information or media from us
  • You make reasonable efforts to ensure private information is not distributed
  • You do not exploit a vulnerability for any reason
  • You do not violate any laws in your jurisdiction


We may, at our discretion, pay Bounties (cash payments) to people who meet our Responsible Disclosure Policy. The amount of the Bounty will be determined by the size of the impact and the significance of the risk we assess the discovered issue to be. Small size and low risk may not be due a bounty at all. A more significant issue might see between US$500 and US$1500. Amounts are calculated at our discretion only.

If we receive multiple reports of the same issue, we assess on a “first in, best dressed” policy.

Taking a lead from Facebook, if you provide proof of donation of the bounty fee we pay you to a recognised charity, we will match that donation to that charity.

If you wish, we will publish your name on this page, as recognition of your efforts (However, to date, no one has wished for that. :()

Reporting a vulnerability

Email garion@gmbill.com with the subject “Reporting a vulnerability”.