Please read security.txt to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report and strive to send you regular updates about our progress. If you're curious about the status of your disclosure please feel free to email us again.
Please refrain from requesting compensation for reporting vulnerabilities. If you want we will publicly acknowledge your responsible disclosure, once the issue is fixed.
You are not allowed to search for vulnerabilities on carto.com itself. CARTO is open source software, you can install a copy yourself and test against that.
When a vulnerability is suspected or discovered we create a confidential security issue to track it internally. Security patches are pushed to a private repository and they should not appear on CARTO.com until it's completely fixed.