Bug Bounty & Vulnerability Disclosure
Find a bug or a security issue in SparkBox? Tell us. The shoutout's on the house.
The honest deal
SparkBox is free — no payment, no ads, no data resale. The project funds itself off Tom's YouTube channel, a couple of affiliate links, and optional $49 supporter donations — not enough margin to support a cash bounty pool. That means we genuinely cannot afford to pay cash bounties, even small ones. If you find a serious issue and you'd only report it for a payout, a small project run by a single developer is not the right place to spend your time.
What we can offer:
- A public shoutout — if you want one. Tom mentions security reporters by handle in the launch video for the patch release that fixes their finding, on his YouTube channel (@TomSparkReviews) and in the SparkBox changelog at tomsparkbox.com/changelog.html. Anonymous reports are equally welcome — no shoutout if you'd rather stay quiet.
- A fast fix. Critical and high-severity reports usually get a patched release within 24-48 hours, with a credit line in the changelog entry.
- Genuine appreciation. SparkBox is one developer's project ridden in front of a few thousand beta testers. Every report — even small UX papercuts — meaningfully shapes the product. Beta is exactly the time for this stuff.
Where to report
For non-security bugs
Post on d/sparkbox on Demox. Include the bug-report template (copy from the docs) and we'll triage. Public posts help the next person hit the same issue.
For security vulnerabilities (responsible disclosure)
If the issue could expose user data, allow remote code execution, defeat authentication, leak credentials, or otherwise materially weaken SparkBox's security posture — please don't post the details publicly. Send them privately to support@tomsparkbox.com with the subject SECURITY: followed by a short title.
Include in your report:
- What the issue is, in one or two sentences.
- How to reproduce it — steps, payloads, the SparkBox version you tested against.
- Your assessment of the impact (who can exploit it, what they get).
- Optionally, a suggested fix or mitigation.
- Whether you'd like a public shoutout when it's patched, and what handle to credit.
We'll acknowledge receipt within 48 hours, share an estimated timeline within a week, and notify you when the patch ships.
Scope
In scope:
- The SparkBox install script (
get.tomsparkbox.com/install.sh and any signed release tarball).
- The dashboard application (Node.js / Express server in
dashboard/).
- The Cloudflare Workers that handle license validation, webhooks, AI-troubleshooting proxy, and update telemetry.
- Module compose files and per-module bootstrap scripts (Sonarr / Radarr / Prowlarr / Jellyfin / qBittorrent / etc.).
- Anything served from
tomsparkbox.com.
Out of scope:
- Bugs in upstream third-party apps (Jellyfin, Sonarr, gluetun, Vaultwarden, Nextcloud, etc.) — please report those to their respective projects. We do want to know if SparkBox's bundling of an upstream app makes its security worse than running it standalone — that's on us.
- Self-inflicted misconfigurations (e.g. exposing an admin port to the internet without a reverse proxy or auth).
- Theoretical issues without a practical exploit path.
- Spam / volumetric attacks against the Cloudflare-fronted infrastructure (Cloudflare handles those).
- Reports generated mostly by automated scanners with no human verification.
Safe-harbor commitment
We won't take legal action against good-faith security research that:
- Tests against your own SparkBox install (your hardware, your VPS, your WSL2) — not someone else's.
- Doesn't access, modify, or destroy other users' data.
- Reports the issue privately before public disclosure (90-day default disclosure window after fix is shipped, or earlier if we mutually agree).
Past reporters credited
This list grows as the program runs. If you've reported something and want your handle added (or removed), email support@tomsparkbox.com.