Security

Vulnerability disclosure and reward program

We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses. Our bounty program is a way to reward the security researchers that help us with this task. We also publish to document issues once they are fixed.

If you believe you’ve discovered a bug in Open Collective’s security, please get in touch at . We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Open Collective.

We investigate legitimate reports and make every effort to quickly resolve vulnerabilities. To encourage responsible reporting, we will not take legal action against researchers nor ask law enforcement to investigate them providing they comply with and more generally with the following guideline: Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

To learn more, see our .

Payments security

Credit cards

Open Collective doesn't store any credit card number, we're instead relying on our partner - a secure solution that is widely adopted by the industry. If our systems are compromised, we can't lose your credit card number because we simply don't have it.

about Stripe's security.

Login system

According to :

Passwordless authentication, by its nature, eliminates the problem of using an unsafe password. This means that one of the biggest user errors is taken out of your login. Not only is passwordless authentication safe to use, it might even be safer than a traditional username + password login.

about our login system.