Bug Bounty

Help us keep Adam safe.

If you find a security issue in Adam, we'd love to hear about it, and we'll pay for valid findings. Rewards are intentionally modest while the program is young, but every report gets a real human review and our sincere thanks.

01

Rewards

Bounties are paid per validated report, at the severity we confirm during triage. Duplicates go to the first reporter.

Critical
$100
Remote code execution, full account takeover, or access to other customers' data.
High
$50
Privilege escalation, authentication bypass, or significant data exposure.
Medium
$25
Limited data exposure, CSRF on sensitive actions, or issues needing unusual user interaction.
Low
$10
Minor issues with a plausible security impact.
02

Scope

What counts, and what doesn't. When in doubt, ask first at hello@adam.new.

In scope
  • The web application and everything under adam.new
  • The public API the product is built on
  • Authentication, session handling, and billing flows
  • Agent sandbox isolation and file handling
Out of scope
  • Denial of service or any volume-based attack
  • Social engineering or phishing of our team or users
  • Findings from automated scanners with no shown impact
  • Missing best practices (headers, SPF/DMARC) without an exploit
  • Third-party services we integrate with (report those to the vendor)
03

Rules & safe harbor

Follow these and we will not pursue legal action for good-faith security research. That's a promise.

  • Test only against your own accounts and data. If you hit someone else's data, stop and tell us what happened.
  • Don't exfiltrate data, disrupt the service, or degrade it for other users.
  • Give us a reasonable window (90 days) to fix an issue before sharing it publicly.
  • One issue per report, with clear steps to reproduce.
04

Submit a report

No account needed. Include a contact email if you'd like a bounty payout or a reply.

Your best guess is fine. We confirm severity during triage.

Only needed if you want a bounty payout or a reply. Leave it blank to report anonymously.