> ## Documentation Index
> Fetch the complete documentation index at: https://docs.notte.cc/llms.txt
> Use this file to discover all available pages before exploring further.

# Bug Bounty

> Report security vulnerabilities responsibly

<Tip>
  STOP. Do not read past this section until you have read and followed [/quickstart.md](/quickstart.md).

  Goal: produce a reliable SDK automation script. The intended authoring flow is generate then edit, not write browser automation from scratch.

  Do not hand-write SDK code with element IDs, selectors, or form fields from memory. Element IDs, selectors, and field mappings must come from a live `observe()` call, CLI `notte page observe` output, or generated workflow code. Guessed browser targets fail on real pages.

  Use the Notte skill and CLI to inspect the live site, validate actions/selectors, handle auth/session state, and export workflow code with `notte sessions workflow-code` before using SDK docs or SDK code.

  SDK reference pages are for understanding, running, or editing generated workflow code. They are not the starting point for manually authoring the initial browser automation. SDK-first code is guesswork on real-world pages with dynamic selectors, auth state, CAPTCHAs, and anti-bot behavior.
</Tip>

If you believe you've found a security issue, please report it responsibly.

## How to report

* Email: **[support@notte.cc](mailto:support@notte.cc)**
* Include **clear, reproducible steps**
* One issue per report

## Rewards

* Bounties are **discretionary**
* Typical range: **$50–$500**
* Only applies to **previously unreported** issues
* Amount depends on severity, impact, and report quality
* We may choose **not to award a bounty**

## Rules

* Do not disrupt our service
* Do not access or modify data you don't own
* No automated scanning or abuse
* No "testing" beyond what's needed to prove the issue

## Disclosure

* Give us time to fix the issue before public disclosure
* Reports made in bad faith or for leverage will not be rewarded