Bug Bounty & Vulnerability Disclosure
Find a bug or a security issue in TomSparkBox? Tell us. The shoutout's on the house.
The honest deal
TomSparkBox is free — no payment, no ads, no data resale. The project funds itself off Tom's YouTube channel, a couple of affiliate links, and optional $49 Legend purchases — not enough margin to support a cash bounty pool. That means we genuinely cannot afford to pay cash bounties, even small ones. If you find a serious issue and you'd only report it for a payout, a small project run by a single developer is not the right place to spend your time.
What we can offer:
- A public shoutout — if you want one. Tom mentions security reporters by handle in the launch video for the patch release that fixes their finding, on his YouTube channel (@TomSparkReviews) and in the TomSparkBox changelog at tomsparkbox.com/changelog.html. Anonymous reports are equally welcome — no shoutout if you'd rather stay quiet.
- A fast fix. Critical and high-severity reports usually get a patched release within 24-48 hours, with a credit line in the changelog entry.
- Genuine appreciation. TomSparkBox is one developer's project ridden in front of a few thousand beta testers. Every report — even small UX papercuts — meaningfully shapes the product. Beta is exactly the time for this stuff.
Where to report
For non-security bugs
Post on d/sparkbox on Demox. Include the bug-report template (copy from the docs) and we'll triage. Public posts help the next person hit the same issue.
For security vulnerabilities (responsible disclosure)
If the issue could expose user data, allow remote code execution, defeat authentication, leak credentials, or otherwise materially weaken TomSparkBox's security posture — please don't post the details publicly. Send them privately to [email protected] with the subject SECURITY: followed by a short title.
Include in your report:
- What the issue is, in one or two sentences.
- How to reproduce it — steps, payloads, the TomSparkBox version you tested against.
- Your assessment of the impact (who can exploit it, what they get).
- Optionally, a suggested fix or mitigation.
- Whether you'd like a public shoutout when it's patched, and what handle to credit.
We'll acknowledge receipt within 48 hours, share an estimated timeline within a week, and notify you when the patch ships.
Scope
In scope:
- The TomSparkBox install script (
get.tomsparkbox.com/install.sh and any signed release tarball).
- The dashboard application (Node.js / Express server in
dashboard/).
- The Cloudflare Workers that handle license validation, webhooks, AI-troubleshooting proxy, and update telemetry.
- Module compose files and per-module bootstrap scripts (Sonarr / Radarr / Prowlarr / Jellyfin / qBittorrent / etc.).
- Anything served from
tomsparkbox.com.
Out of scope:
- Bugs in upstream third-party apps (Jellyfin, Sonarr, gluetun, Vaultwarden, Nextcloud, etc.) — please report those to their respective projects. We do want to know if TomSparkBox's bundling of an upstream app makes its security worse than running it standalone — that's on us.
- Self-inflicted misconfigurations (e.g. exposing an admin port to the internet without a reverse proxy or auth).
- Theoretical issues without a practical exploit path.
- Spam / volumetric attacks against the Cloudflare-fronted infrastructure (Cloudflare handles those).
- Reports generated mostly by automated scanners with no human verification.
Safe-harbor commitment
We won't take legal action against good-faith security research that:
- Tests against your own TomSparkBox install (your hardware, your VPS, your WSL2) — not someone else's.
- Doesn't access, modify, or destroy other users' data.
- Reports the issue privately before public disclosure (90-day default disclosure window after fix is shipped, or earlier if we mutually agree).
Past reporters credited
This list grows as the program runs. If you've reported something and want your handle added (or removed), email [email protected].