We're not Oracle. If you spend your time ripping apart our API, front-end code, or scanning our servers for vulnerabilities... we're fine with it. There's currently no bug bounty paying hard cash. We want to change that, but give us a few months to get up and running properly. For now, if you find anything is amiss with the way things communicate, let us know at firstname.lastname@example.org — we'll give you all the credit, and not just in 11 point font on a tuesday.
We also hope our customers understand. When it comes to security, the worst thing to do is fight the wrong fight.
Rip it up.