Sign Up Log In
Home
Profiles
0
Messages
Media
Main Menu

No Strings Men welcomes good-faith security research that helps us protect our members and our service. This page explains what is in scope, how to report findings, and how we handle confidentiality and rewards.

If you are not conducting authorised security testing, normal Terms of Use and Acceptable Use Policy rules apply. Read this page in full before you test.

1. Scope

This program applies to:

  • The website at https://nostringsmen.com/ and all pages under https://nostringsmen.com/*
  • Subdomains at https://*.nostringsmen.com/
  • Access from any device or browser, including mobile apps or web views that load our site

Out-of-scope examples (unless we explicitly agree otherwise in writing) include: third-party services we do not operate, physical security, social engineering against our staff or members, spam or denial-of-service testing against production, and issues that require a user to compromise their own device or install malware.

2. Rules of engagement

We ask you to:

  • Act in good faith and avoid harm to the service or to our members
  • Keep details of any vulnerability private until we have had a reasonable time to assess and fix it. Do not post exploit code or public proof-of-concept material before coordinated disclosure with us
  • Use only accounts and data you are allowed to use. If your testing could realistically expose other people’s information, stop as soon as you have enough evidence to describe the issue, and report it to us
  • Not access, download, store, publish, or trade other users’ personal data except the minimum needed to demonstrate the issue to us
  • Treat all data you encounter as strictly confidential. After you submit your report, delete and destroy local copies of sensitive material (including screenshots, videos, exports, or files) unless we ask you to retain something for verification
  • Not perform testing that could degrade availability for members (for example large-scale automated scanning or load testing) without our prior written agreement
3. Why this matters

Our members trust us with sensitive information. Security weaknesses can affect everyone on the platform. Responsible disclosure helps us fix problems before they are abused. We may reference this program in our Privacy Policy and Terms of Use so members know we take reports seriously.

4. How to report

Email security@nostringsmen.com.

Include as much detail as you can so we can reproduce and prioritise the issue:

  • Clear description of the vulnerability and its impact
  • Steps to reproduce, including URLs, parameters, tools, and versions where relevant
  • Timestamps and any request or response identifiers that help us trace logs (redact third-party secrets)
  • Screenshots, short screen recordings, or other files if they help, provided they follow section 2 above

Encrypting email is welcome if you use PGP. If you need a public key, ask at the same address.

5. What you can expect from us
  • Acknowledgment: We aim to acknowledge receipt within 5 business days (UK calendar). Automated replies do not replace a human acknowledgment when volume allows.
  • Triage: We will assess severity, impact, and whether the report is valid and in scope. We may ask follow-up questions.
  • Remediation: We aim to provide meaningful updates as we work on a fix. Time to fix depends on complexity and risk. We cannot guarantee a specific patch date for every issue.
  • Coordinated disclosure: We ask that you keep reports non-public until we agree a disclosure timeline, typically after a fix is deployed or a mitigation is in place.
6. Rewards

We may offer a monetary reward for qualifying reports that meaningfully improve security, paid by bank transfer, PayPal, or gift cards, depending on what is practical and compliant. Reward amounts are decided case by case based on severity, impact, quality of the report, and whether the issue was previously known. We review our reward approach as the business grows.

As of April 2026 we are a new service with limited revenue. We still value responsible research and will be transparent when a reward is not possible so your effort is not wasted.

Rewards are not guaranteed. Duplicate reports, issues out of scope, or findings that require unrealistic conditions may not qualify.

7. Legal approach

We intend to work with researchers who follow this page in good faith. Nothing on this page is a promise of non-enforcement in every circumstance, and you remain responsible for complying with applicable laws. If you are unsure whether your testing is lawful, seek independent legal advice.

8. Contact

Security reports: security@nostringsmen.com

General legal questions: see our Legal hub and Terms of Use.