Yes, we offer bounties for reports of vulnerabilities that threaten the security of our users' data. Please email your report to firstname.lastname@example.org and include a description of the vulnerability as well as steps to reproduce it.
Bounties are established by our security team and are non-negotiable. Note that some optional configurations / best practices may not be awarded a bounty, if there's no direct threat to the security of our data.
Zero-day vulnerabilities may not receive bounties for the first week, as our operations team will likely already be working to patch those once announced. Similarly, if an issue is reported to us but we have not yet released a fix, we will not be able to grant a bounty for a subsequent report of the same issue.