From ad1ef20f171c9f61439f32168987b0b4f9abd74b Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 29 Apr 2020 14:54:04 +0200
Subject: [PATCH] Add bug bounty page

---
 content/en/dev/disclosure.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 content/en/dev/disclosure.md

diff --git a/content/en/dev/disclosure.md b/content/en/dev/disclosure.md
new file mode 100644
index 00000000..3342a5b2
--- /dev/null
+++ b/content/en/dev/disclosure.md
@@ -0,0 +1,16 @@
+---
+title: Bug bounties and responsible disclosure
+description: What to do if you found a serious bug
+menu:
+  docs:
+    weight: 9999
+    parent: dev
+---
+
+If you believe you've identified a security vulnerability in Mastodon (a bug that allows something to happen that shouldn't be possible), you should send the report to **hello@joinmastodon.org**. We will gladly reward such reports in proportion to the severity of the issue through our OpenCollective fund.
+
+You should *not* report such issues on GitHub or in other public spaces to give us time to publish a fix for the issue without exposing Mastodon's users to increased risk.
+
+{{< hint style="info" >}}
+A "vulnerability in Mastodon" is a vulnerability in the code distributed through our main source code repository on GitHub. Vulnerabilities that are specific to a given installation (e.g. misconfiguration) should be reported to the owner of that installation and not us.
+{{< /hint >}}