Bug Bounty Program

Last Update: July 22, 2025

Security Vulnerability Disclosure & Bounty Disclaimer

The Manhattan Institute encourages responsible reporting of any security issues you discover. To submit a vulnerability report and be considered for a bug bounty award please note the following:

  • Critical Severity Only: Reports must involve a vulnerability that could lead to significant impact
  • Submission Guidelines: Send your findings to bounty@manhattan.institute with:
    1. A clear description of the issue
    2. Step-by-step reproduction instructions or proof-of-concept
    3. Any scripts, logs, or screenshots that demonstrate the flaw
    4. Your full legal name
    5. Valid government-issued photo ID
    6. A completed IRS Form W-9 (for U.S. individuals) or Form W-8BEN (for non-U.S. individuals)
  • Evaluation & Payout: All reports are reviewed on a case-by-case basis. Only qualifying, critical vulnerabilities will be eligible for bounty awards. Payment amounts and eligibility are determined at the Institute’s discretion based on impact, novelty, and completeness of your submission. The Manhattan Institute reserves the right to withdraw any submissions that do not meet these standards and guidelines.
  • Legal Safe Harbor:  In compliance with this policy, and for the purpose of criminal statutes, good-faith investigation of security vulnerabilities on MI’s properties, which are promptly reported with sufficient detail, will not be treated as intentional hacking attempts.
  • Zero-Tolerance for Threats or Fraud: Any attempts to coerce, threaten, harass, or defraud Institute personnel will result in immediate removal from our bug bounty program and permanent ineligibility for any current or future bounty payments.

Thank you for helping us keep our community safe.