We understand that your code, applications, and user-data hosted on Repl.it are very important so we take our responsibility to safeguard it seriously. After all, we use Repl.it to build our business too!
Being a small startup with limited resources we unfortunately can't run a bug bounty program. However, if you report a vulnerability responsibly then we'll work with you to fix the issue and then we will credit you on our blog.
Pursuant to our terms of service, you should not take any actions that interferes or disrupts the service. When in doubt, and think there might be a risk of service disruption, then don't try to verify the bug yourself -- email us and we'll work with you to verify it.
Email us at firstname.lastname@example.org with a description of the issue and we'll try to respond as soon as possible.