If you think you've found a security issue in Scroll, please submit the issue to Twitter's HackerOne program at https://hackerone.com/twitter/. Note that new issues reported for Scroll may not be explicitly in-scope for bounty awards via Twitter's program—they will be reviewed and addressed at our discretion. Please make sure the issue is in Scroll itself and not one of our partner sites, and do not publicly disclose the issue.
We ask that you use common sense in your reports, in particular reports of DOS, spam, or social engineering vulnerabilities will not be rewarded, nor will reports of parts of Scroll that are working as intended.
A few other notes
We will only reward the first person to responsibly disclose a bug to us.
Any bugs that are publicly disclosed will not be rewarded.
Whether to reward the disclosure of a bug and the amount of the reward is entirely at our discretion, and we may cancel the program at any time.
Your testing must not violate any laws.
We can't provide you a reward if it would be illegal for us to do so.
You are free to send any reports, but as guidance we are unlikely to award any reports that start from compromising a user's email or a user's computer.