What's the policy on bug hunting?

I'm sure as tildes gets bigger, security will continue to be a matter of discussion.

The dev GodEmperors of tildes have (quite awesomely) taken a big position on security already by disallowing breached passwords from being used.

I'm not much of a hacker myself, but it's an armchair interest and I'm sure others more skilled would love to be able to give back to Tildes and help keep the site as secure as possible.

What's the policy on bug hunting, and searching for exploits?

Thanks!