We don't have a bug bounty program, but any security reports are welcome. Act in good faith, don't do potentially destructive "testing" on our systems.
 
Regarding DKIM/SPF/DMARC: Yes, we know.