Vulnerability disclosure and reward program

We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses. Our bounty program is a way to reward the security researchers that help us with this task. We also publish postmortems to document issues once they are fixed.

If you believe you’ve discovered a bug in Open Collective’s security, please get in touch at security@opencollective.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Open Collective.

We investigate legitimate reports and make every effort to quickly resolve vulnerabilities. To encourage responsible reporting, we will not take legal action against researchers nor ask law enforcement to investigate them providing they comply with our security policy and more generally with the following guideline: Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

To learn more, see our security bounty policy.

Payments security

Credit cards

Open Collective doesn't store any credit card number, we're instead relying on our partner Stripe - a secure solution that is widely adopted by the industry. If our systems are compromised, we can't lose your credit card number because we simply don't have it.

Learn more about Stripe's security.

Login system

According to Auth0:

Passwordless authentication, by its nature, eliminates the problem of using an unsafe password. This means that one of the biggest user errors is taken out of your login. Not only is passwordless authentication safe to use, it might even be safer than a traditional username + password login.

Learn more about our login system.