Yes, we offer bounties for reports of vulnerabilities that threaten the security of our users' data. Please email your report to firstname.lastname@example.org and include a description of the vulnerability as well as steps to reproduce it.
Bounties are established by our security team and are non-negotiable. Note that some optional configurations / best practices may not be awarded a bounty, if there's no direct threat to the security of our data.
Zero-day vulnerabilities may not receive bounties for the first week, as our operations team will likely already be working to patch those once announced.