Reporting Bugs
Please email your software bugs to say@helloaiko.com with the "[BUG]" tag in your subject line.
Please discuss all details including how to reproduce the bug. Rewards will be made in some form if eligible.

Reporting Vulnerabilities
Please email your security vulnerabilities to say@helloaiko.com with the "[SECURITY]" tag in your subject line.
Please discuss all details. Rewards will be made in some form if eligible. As a reminder, please do not post vulnerabilities elsewhere before reporting to Aiko and for a 30 day period after the initial report to alllow remediation of the vulnerability.

Eligibility of Bugs
Our software development team will determine the eligibility of bugs at their discretion as well as the appropriate amount of compensation.

The general guidelines used for determining the eligibility of a bug is as follows:
- affects the platform beyond a single user (reproducibility)
- has appropriate scale to be considered a bug beyond a minor issue (e.g. not a misspelled word)
- can be realistically encountered (without attempting to break something forcibly, although this may qualify as a security vulnerability)
- the discovery of the bug did not involve a platform outage or other users without their explicit permission


Eligibility of Vulnerabilities
Our security team will determine the eligibility of vulnerabilities at their discretion as well as the appropriate amount of compensation.

The general guidelines used for determining the eligibility of a vulnerability is as follows:
- affects the platform beyond a single instance (reproducibility)
- has appropriate scale to be considered a vulnerability (e.g. using inspect element or social engineering are examples of "vulnerabilities" that do NOT qualify)
- was reported directly to Aiko AI in an appropriate timeframe after discovery
- was not used for malicious purpose (e.g. denial of service)
- the discovery of the vulnerability did not involve a platform outage or other users without their explicit permission (e.g. denial of service, compromising other accounts, stealing data)
- the vulnerability compromises data, safety, or can be used to elevate access in some way (e.g. a hidden link, account registration with a fake email, availability via HTTP, etc. would not be considered a security issue)
- is not intentional or already being tracked (Intentional vulnerabilities such as a "honeypot" or a hidden CTF challenge are not considered eligible. If the vulnerability has already been reported and is being tracked, it is not considered eligible as the first individual to report will be rewarded the full bounty)
If your vulnerability does not exactly fit the mold described above or misses a couple bullet points, it may be considered eligible anyways at the discretion of our security team. Rest assured that all reports are reviewed by humans before a decision is made.


Ready to file your report?