Policy

We don’t have a public reward program, but we grant rewards when vulnerabilities are responsibly reported.

Known vulnerabilities listed below or affecting a deprecated part are not eligible for rewards.

Guidelines

• Send security reports to [email protected]
• Use one email thread per vulnerability for easier follow-up (use a dedicated subject)
• If a reward is granted, send an invoice
  • To AssoConnect, 9 rue des colonnes, 75002 Paris, FRANCE
  • The invoice must detail that this is about a security reward

Known Vulnerabilities

User Enumeration

The application reveals if a given email address is used by an existing user:

• On the login page
• On the password reset page
• On the trial sign-up page
• On a nonprofit’s registration page

Expiration of the Password Reset Link

Existing password reset links do not expire when the user updates their password, changes their email address, or sets up 2FA.

Expiration of the user session

‣

The session doesn’t expire on