What I'm thinking of are things like "a paying customer can DoS you with a carefully constructed malicious input". That usually won't be practical issue if you're small enough to know all your customers - but it has the potential to be very problematic if you incentivize people to find it.
> Accessing private information of other users, performing actions that may negatively affect Twitter users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report
