Aether
Free →
Security · responsible disclosure

Find a bug. Tell us. Get paid.

We take security seriously and we know our audience does too. If you find something real, we want to hear about it — and we'll pay you for valid reports.

Email security@trynoguard.com

Reward bands

Pay-out ranges depend on impact, exploitability, and report quality. We reserve discretion for edge cases — but the bands below are what you should expect.

Critical$500 – $2,000

Account takeover, RCE, full database read, payment bypass on a paying user, credit forgery.

High$200 – $500

Privilege escalation between user accounts, IDOR exposing other users' chat content, persistent stored XSS in chat.

Medium$50 – $200

CSRF on state-changing endpoints, reflected XSS, SSRF without exfil, info-leak of low-sensitivity data.

Low$25 – $50

Self-XSS, missing security headers with demonstrated impact, rate-limit bypass on free-tier endpoints.

In scope

  • trynoguard.com and all subdomains
  • aether-web-production.up.railway.app (Railway-hosted production)
  • Public API at /api/v1/*
  • The aether-mcp npm package and its source repository
  • The Discord bot integration (interactions endpoint)

Out of scope

  • Findings against third-party services we depend on (Venice AI, Stripe, Railway, NowPayments). Report directly to those vendors.
  • Volumetric DoS / resource-exhaustion that requires sustained attack traffic.
  • Email spoofing without demonstrated impact (we publish SPF/DMARC).
  • Findings that require physical access, social engineering of staff, or compromise of personal devices.
  • Best-practice issues without demonstrated security impact (missing HSTS sub-policy, weak TLS cipher suite, etc.).
  • Self-XSS that requires a victim to paste attacker-supplied content into the developer console.
  • Disclosure of public information (version banners, public usernames, etc.).

Rules

  1. Test only against accounts you own. Create test accounts as needed; do not access other users' data. If you accidentally see another user's data, stop and report immediately.
  2. No data exfiltration. Demonstrate impact with the minimum necessary proof — read one record, not the whole table.
  3. No service degradation. If your test would meaningfully impact other users (high-volume requests, destructive actions on shared infra), contact us first and coordinate.
  4. Give us reasonable time to fix. 90 days from report to public disclosure is the default; complex findings can extend with mutual agreement.
  5. First valid report wins. Duplicates are acknowledged but not paid.
  6. Payouts are USD-equivalent in BTC, ETH, SOL, or USDC. Tell us your preferred chain and address in the report.

What to include in your report

We pay faster for clear reports. A good report includes:

  • A clear title summarizing the finding.
  • The full URL / endpoint / file path affected.
  • Step-by-step reproduction with HTTP requests, payloads, and any required state.
  • Realistic impact — what an attacker can actually do.
  • The account(s) you used (so we can audit your activity).
  • A suggested remediation, if you have one.
  • Your preferred contact handle and crypto payout address.

Safe harbor

We will not pursue legal action or law-enforcement referral against researchers acting in good faith, within the rules above. If you're unsure whether something is in-scope, ask first at security@trynoguard.com — pre-clearance is encouraged.

Hall of fame

Researchers who've reported valid findings (with permission to be listed):

The wall of fame is empty. Be the first.

Found something?

Email a clear report and we'll respond within 48 hours.

security@trynoguard.com
Security & responsible disclosure | Aether · Aether