Bounty Program

Melodreams Bounty Program – Ethical security researchers helping protect the platform and its creators

Last updated: 10 May 2026

The Melodreams Bounty Program is a structured initiative that invites qualified security researchers and ethical hackers to identify and responsibly disclose vulnerabilities in our platform. Its purpose is to strengthen defenses against real-world threats before malicious actors can exploit them.

We built Melodreams to give creators a clean, calm, and reliable space. That space only remains reliable if the underlying systems are secure. The Bounty Program is one of the concrete measures we take to achieve that goal. It is not a marketing exercise. It is a practical program with clear rules, defined rewards, and a commitment to rapid remediation.

1. Why We Run a Bounty Program

Every public platform faces continuous probing by automated tools and skilled attackers. On a service like Melodreams, the most damaging attacks include account takeover chains that let malicious actors impersonate creators, post harmful content, or extract audience data. Stored cross-site scripting in profile fields or link metadata can affect visitors directly. Authorization bypasses can expose private analytics or allow modification of other users’ content. Server-side vulnerabilities that permit remote code execution or persistent access create the conditions for ransomware deployment, where attackers encrypt infrastructure and demand payment to restore service.

Waiting for such incidents to occur is not acceptable. The Bounty Program shifts the advantage to defenders by compensating researchers who find these issues first. It is more cost-effective, faster, and less disruptive than recovering from a breach. Every valid report we receive and fix reduces the attack surface for the entire community of creators and their audiences.

2. Scope – Vulnerabilities We Reward

We accept reports on technical vulnerabilities that have a demonstrable negative impact on confidentiality, integrity, or availability. Reports are evaluated on real-world exploitability within our production environment and the number of users or amount of data that could be affected.

Qualifying issues include, but are not limited to: authentication and session management flaws that enable account takeover; stored or reflected cross-site scripting in publicly visible profile elements, link titles, descriptions, or custom pages; improper authorization checks that allow one user to read or modify another user’s profiles, links, analytics, or settings; injection vulnerabilities (SQL, NoSQL, command, or template) that could lead to data exfiltration or system compromise; insecure API endpoints that permit mass actions, data access, or spam campaigns; open redirect chains that can be used for phishing or malware distribution targeting visitors; information disclosure that reveals sensitive user data, internal configuration, or system details useful for further attacks; and any combination of lower-severity issues that together create a high-impact attack path (for example, leading to ransomware deployment or mass profile manipulation).

We prioritize issues that are remotely exploitable without requiring social engineering or physical access, and that affect real user data or platform integrity.

3. Out-of-Scope Issues

The following categories are generally not eligible for rewards: social engineering or phishing attempts against staff or users (unless enabled by a technical vulnerability in our systems); physical attacks or attacks requiring on-site access; denial-of-service or rate-limit bypasses that do not result in data exposure or persistent access; issues in third-party services, libraries, or CDNs that we do not control; self-XSS or issues that require the victim to perform unusual actions in their own browser; previously reported or publicly known issues; low-impact informational findings with no practical exploitation path; and theoretical issues without a working proof of concept in our environment.

If you are uncertain whether a finding falls inside or outside scope, submit it. We will provide clear feedback on every report.

4. Reward Structure

Rewards are intentionally set higher than standard platform benefits to recognize the specialized expertise and responsible effort required. For reference, the default Pro plan currently provides 5,000 gems per month or 60,000 gems per year. Bounty rewards deliver substantially greater value through longer subscriptions, significantly larger gem amounts, and exclusive items that are not available through normal purchase or subscription.

Critical Severity (remote code execution, unauthenticated or easily chained account takeover, vulnerabilities enabling mass data exfiltration or ransomware deployment): 12 months of Pro subscription + 300,000 gems + exclusive “Security Sentinel” theme pack (unavailable for purchase) + permanent custom “Verified Security Contributor” profile item/badge + option for Hall of Fame listing.

High Severity (authenticated account takeover, stored XSS affecting multiple users, authorization bypass exposing sensitive data, exploitable flaws that could facilitate targeted ransomware or persistent compromise): 6 months of Pro subscription + 150,000 gems + choice of premium theme + 6-month access to rotating custom profile items.

Medium Severity (reflected XSS with impact, CSRF leading to meaningful actions, open redirects chained with other issues, moderate information disclosure): 3 months of Pro subscription + 75,000 gems + premium theme.

Low Severity or High-Quality Informational Reports: 25,000–50,000 gems depending on insight and clarity provided; 1 month of Pro subscription may be added for particularly useful reports.

Rewards are paid to the first valid reporter of a unique issue. Duplicate reports receive reduced or no reward. We may increase rewards for exceptionally novel or high-impact findings. All rewards are subject to verification, identity confirmation where required by law, and our standard terms of service.

5. How to Submit a Report

Send your report by email to melodreams.cinema191@passinbox.com with the subject line “Bounty Report: [Short Descriptive Title]”.

A strong report contains: a clear title; step-by-step reproduction instructions (including any test accounts or profiles used); proof of concept (screenshots, screen recording, or safe non-destructive demonstration); description of potential impact and scope of affected users; relevant technical details (HTTP requests/responses, code snippets, or logs – sanitized if necessary); your assessment of severity; and your preferred contact method for follow-up. You may include suggested remediation steps if you have them.

We prefer non-destructive proofs of concept. Test only on accounts and profiles you control. Do not perform actions that could affect other users or degrade platform performance.

6. Response, Validation, and Remediation Process

We acknowledge receipt within 48 hours. Initial triage and severity classification are normally completed within 5 business days. If additional information or clarification is needed, we will request it promptly. Once validated, we develop and deploy a fix, then notify you of resolution and process the reward.

Critical and high-severity issues are prioritized for rapid remediation, often within days or a few weeks depending on complexity. You will receive regular status updates. After the fix is live and any coordinated disclosure is complete, the reward is issued.

7. Rules, Eligibility, and Safe Harbor

The program is open to researchers worldwide who act in good faith. You must not: exploit findings for personal gain or extortion; publicly disclose the issue before we have fixed it and agreed on a disclosure timeline; perform destructive testing or attacks that harm other users or platform availability; or violate applicable laws.

Safe Harbor: When you follow the rules above and the responsible disclosure process described on this page, Melodreams will not pursue legal action against you for the security research activities necessary to discover and report the specific vulnerability. This protection applies only to the reported issue and the methods used to demonstrate it without causing harm.

Violations (including premature public disclosure, data destruction, or attacks on other users) result in immediate disqualification and may lead to legal action or reports to authorities. We enforce these boundaries to protect the community.

8. Recognition and Transparency

With your consent, we list contributors of valid reports in our public Hall of Fame (name or handle, type of issue found, and date – without sensitive technical details). This is optional. We may also publish aggregated, anonymized statistics about the program to demonstrate its effectiveness.

9. Legal and Compliance

The Bounty Program operates in accordance with applicable laws in the jurisdictions where Melodreams is available. It follows responsible disclosure best practices and respects data protection and privacy regulations. Nothing on this page constitutes legal advice. Specific terms may vary by jurisdiction. We update this page when the program, rewards, or regulatory requirements change. The current version is the one you are reading.

Discovered a security vulnerability or potential attack vector?
Report it responsibly to melodreams.cinema191@passinbox.com. Every submission is reviewed by our team. We value the expertise of researchers who help keep the platform secure for creators and their audiences.

The Bounty Program is a core part of how we maintain a secure environment. By working with skilled researchers, we identify and eliminate risks from hackers, ransomware, and other threats before they can affect the community. Your contributions directly support the calm, reliable experience that creators expect from Melodreams. We appreciate your expertise and look forward to your reports.