On Sunday, January 31st, a vulnerability was disclosed to us by Replit users. People had been allowed to transfer repls they did not own to teams they did own. Within minutes of finding out, we disabled the affected endpoint. We have found no evidence that this vulnerability was exploited to transfer repls from any of our users. If we had found evidence, we would have contacted the affected community members immediately.

The person who stepped forward did not responsibly disclose their findings. Responsibly disclosing means contacting us with the alleged vulnerability along with the steps we can take to reproduce an exploit. We also ask that you not share this knowledge with anyone else.

Since we had not spelled out beforehand that responsible disclosure is required to claim the bounty, we are still going to honor it. Instead of giving the bounty money to the person who reported the problem, though, we have donated it to CodeNation to further their work in bringing access to tech careers to under-resourced high schools.

For a good example of responsible disclosure and community awesomeness, check out PDanielY's uncovering of a vulnerability in our developer API. Thank you all for making Replit fun and weird, and sharing what's going right or wrong with us!