Sign inFree trial

Fathom Analytics security bounty

We reward ethical researchers who share critical security issues as part of our commitment to privacy and security. That way, we can prioritize resolving issues as quickly as possible to protect our customers.

We don’t just offer our undying appreciation and love for reported security vulnerabilities; we offer cold, hard cash (along with that 🖤).

Why we’re doing this

Our small team takes great pride in our security and infrastructure. Over the last few years, we’ve learned so much about best practices, exploitive patterns, and top vulnerabilities—but we also know that no one team can know everything. We’re constantly learning, adapting, and adjusting.

Fathom is always striving for the best security and infrastructure in our industry, and your research helps push us even further by revealing any blind spots.

How rewards work

We pay varying amounts depending on the severity of the vulnerability, but the average bounty range is between $100-$1,000. Payment is based on how critical, impactful or risky an issue is, and we determine the reward amount.

We provide these cash rewards via Wise and provide the reward to reporters who submit original, in-scope issues with our security systems.

Rules for rewards and disclosures

  1. First, don’t discuss the vulnerability publicly or with anyone else without express consent from Fathom Analytics. Also, do not break any applicable law.
  2. Don’t do any tests to determine if a vulnerability should be conducted if it will negatively impact or disrupt our services or our customer’s access to our service.
  3. You must also be the first person to report the vulnerability to be rewarded.
  4. Fathom Analytics reserves the right to cancel this program at any time, and the decision to pay a reward is entirely at our discretion. We aren’t jerks here, so we’d only not pay a reward if there was a good and rational reason to do so.

Other rules to keep in mind

In-scope vulnerabilities

We focus on vulnerabilities to (our marketing site) and (our application site).

The vulnerability must demonstrate a security impact on our site or application. You must not have compromised the privacy of our users or otherwise violated our terms of service, and you must not have publicly disclosed the vulnerability before the report was closed.

Out-of-scope vulnerabilities

We do not provide rewards for the following things:

Here’s how reporting works

  1. You email us your report
  2. We acknowledge your report, if it’s rewardable, and triage it in terms of resolving the issue
  3. We determine the reward value
  4. You issue us a tax invoice for the amount
  5. We pay you via a local bank transfer (sent via
  6. We will update you as we fix the vulnerability you submitted

How to report a security vulnerability

Email us at, and we’ll get back to you (typically within five business days).

Please provide a clear report of the issue (one per email) and how to replicate it. When possible, provide all relevant videos, logs, etc.