Both README.md and CONTRIBUTING.md define the `$50` tier as covering "Critical bugs affecting security or privacy: traffic leaks, kill-switch failures, or data loss." The listed examples are VPN-tunnel-specific. Authentication bypass, credential exposure, and server-side API security flaws are absent from the definition, even though issues such as #69 (auth without password), #70 (TLS verification disabled), #73 (PSK in plaintext), #89–#93 (principal credential vulnerabilities), and #65 (database schema leak) all land in this repo as `$50` candidates.
The gap leaves reporters and triagers without a clear signal about which security class qualifies at the highest tier. A reporter who finds an authentication bypass has no basis in the current text to know whether it is worth `$50` or `$25`.
The fix is to extend the `$50` row in the table (CONTRIBUTING.md line 35, README.md reward section) to read "Critical bugs affecting security or privacy: traffic leaks, kill-switch failures, data loss, authentication bypass, credential exposure, or server-side security vulnerabilities." One additional clause resolves the ambiguity.
Both README.md and CONTRIBUTING.md define the `$50` tier as covering "Critical bugs affecting security or privacy: traffic leaks, kill-switch failures, or data loss." The listed examples are VPN-tunnel-specific. Authentication bypass, credential exposure, and server-side API security flaws are absent from the definition, even though issues such as #69 (auth without password), #70 (TLS verification disabled), #73 (PSK in plaintext), #89–#93 (principal credential vulnerabilities), and #65 (database schema leak) all land in this repo as `$50` candidates.
The gap leaves reporters and triagers without a clear signal about which security class qualifies at the highest tier. A reporter who finds an authentication bypass has no basis in the current text to know whether it is worth `$50` or `$25`.
The fix is to extend the `$50` row in the table (CONTRIBUTING.md line 35, README.md reward section) to read "Critical bugs affecting security or privacy: traffic leaks, kill-switch failures, data loss, authentication bypass, credential exposure, or server-side security vulnerabilities." One additional clause resolves the ambiguity.