From c4075e86e9466bc39c53620ca87f024da6255922 Mon Sep 17 00:00:00 2001
From: Ulises Gascon <ulisesgascongonzalez@gmail.com>
Date: Thu, 17 Jul 2025 16:19:07 +0200
Subject: [PATCH] docs: mention bug bounty

---
 SECURITY.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 38b4775..abb0ea4 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -44,6 +44,16 @@ This process applies to any repositories within the Express ecosystem.
 If you are unsure whether a repository falls under this policy, 
 feel free to reach out via email.  
 
+### Reporting via Bug Bounty (YesWeHack)
+
+If you wish to receive a financial reward for your security report, you may submit your findings through our official bug bounty program, hosted on YesWeHack.
+
+This program is supported by the [Sovereign Tech Resilience Program](https://www.sovereigntechfund.de/programs/bug-resilience) and offers rewards for qualifying vulnerabilities found in the Express core packages.
+
+For scope, rules, and submission instructions, visit:  
+➡️ [Express Bug Bounty Program on YesWeHack](https://yeswehack.com/business-units/sovereign-tech-fund/programs/express-js-bug-bounty-program/details)
+
+
 ### Reporting via Email  
 
 If you prefer, you can also report security issues by emailing `express-security@lists.openjsf.org`.