Responsible Bug Disclosure Policy

At Lojistic, keeping user information secure is a top company priority. While our team works vigilantly to protect the integrity and security of our software, we also recognize the important role that external security researchers play in keeping software systems safe. For this reason, Lojistic offers a Bug Bounty Program with financial rewards following the CVSS (the Common Vulnerability Scoring Standard) format, outlined below.

We have recently seen an increase in low-effort and/or ineligible bug bounty submissions, which are often found using automated software which violates our responsible bug disclosure policy.

Please note that we are no longer offering bug bounty payments for issues that do not present a significant security risk with the design of our software platform (app.lojistic.com) and its supporting properties. Moving forward, all trivial or excluded submissions, in addition to those discovered through the use of un-approved automated software, will not be eligible for a payout and will likely disqualify you from future participation in the program.

Submitting a Report

All bug reports should be submitted to bugs@lojistic.com and will be addressed expediently.

Do not CC or BCC bug reports to any other email address or distribution list within the Lojistic organization, as this will only create unnecessary noise and confusion and does not result in faster bounty response times. Sending bug reports to any email address other than bugs@lojistic.com will result in bounty forfeiture and disqualification from future participation in the bug bounty program.

When participating in our Bug Bounty Program, you are required to act in good faith, which includes:

  • Respect user privacy — You're authorized to look for bugs, not user data. If you encounter user data during the course of your research stop immediately as any further action is not authorized. Report the issue immediately without saving, copying, transferring, or otherwise retaining the exposed information.
  • Do not use automated testing — Automated tests are often noisy and disruptive. If you feel you can make a strong argument for running an automated scan, please reach out to our team first.
  • Don't cause more harm than good — Never leave a system in a more vulnerable state than when you found it. Any activity that degrades, damages, or destroys information or impacts the stability or user experience of our systems are not authorized. Any DDoS-style activity is prohibited.

Bug Bounty Amounts

Previous bounty amounts are not considered a precedent for future bounty amounts. Duplicate submissions, or submissions that are very similar, are subject to reduced payout amounts. Final bounty payout amount, if any, will be determined by us at our sole discretion. In no event are we obligated to provide a payout for any submission. You are solely responsible for any tax implications related to any bounty payouts you may receive.

Critical Severity Bugs $1,000 - $3,000
  • SQL Injection
  • Remote Code Execution
  • Critical privilege or permission escalation issues
  • Critical SSRF vulnerabilities
  • Critical authentication vulnerabilities
  • And other critical-severity issues
High Severity Bugs $500 - $1,000
  • XSS that manipulates customer information
  • High severity privilege or permission escalation issues
  • Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
  • SSRF to an internal service
  • Information leaks or disclosure (including customer PII data)
  • Authentication vulnerabilities
  • And other high-severity issues
Medium Severity Bugs $50 - $500
  • XSS vectors that can expose customer information
  • Parameter pollution with auth'd side effects
  • Server misconfiguration or provisioning errors
  • Information leaks or disclosure (excluding customer PII data)
  • And other medium-severity issues
Low Severity Bugs $0
  • Mixed content issues
  • Parameter Pollution with unauthorized side effects
  • Server misconfiguration or provisioning errors
  • Other low severity issues, at our discretion
Exclusions

These issues are generally considered out of scope and not included as part of our software bounty program:

  • Social engineering
  • Unchained open redirects
  • Best practices concerns
  • Protocol mismatch
  • Exposed login panels
  • Vulnerabilities requiring the user to self-exploit (ie. paste JavaScript into their browser)
  • Vulnerabilities that require the user's browser or operating system to be compromised
  • Visible stack traces
  • DDOS, brute force, or enumeration attacks
  • CSV injection
  • Minor CSRF issues (ie. logout csrf)
  • Presence of browser autocomplete or save password functionality
  • Any non 200 HTTP codes (500, 404, etc.)
  • Issues only exploitable through clickjacking
  • OPTIONS HTTP method enabled
  • Mail configuration (SPF, DKIN, DMARC, etc.)
  • Reports of spam (ie. sending emails without rate limits)
  • Third party token leaking
  • Web application firewall bypass
  • Outdated software versions
  • Minor header issues, including:
    • Content-type mismatches
    • Missing HTTP security headers (X-Frame-Options, Content-Security-Policy-Report-Only, etc.)
    • Host header injection that does not have an associated exploit
    • Header misconfigurations which do not directly cause security issues
  • Infrastructure issues, including:
    • SSL issues like SSL Forward Secrecy, weak/insecure cipher suites, missing HSTS, etc.
    • Server configuration issues (e.g. open ports, TLS versions, etc.)
    • Origin IP detection
    • DNS configuration issues
    • Software version leakage (eg. web server or OS version)
  • Any bugs that do not provide a security risk
  • Submissions from current employees, or former employees within one year of their departure from Lojistic
Scope

The Lojistic Responsible Bug Disclosure policy applies to the following domains and subdomains:

Vulnerabilities discovered on other Lojistic properties can still be reported following the exclusions above, however, are not eligible for a financial reward.

Confidentiality

Any information you receive or collect about us, our affiliates, or any of our users, employees or agents in connection with our Bug Bounty Program must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such confidential information, including without limitation any information regarding your submission, without our prior written consent. Please note, not all requests for public disclosure can be approved.

Terms and Conditions

  • Any activities conducted in a manner consistent with this policy will be considered authorized conduct and will not be used to initiate legal action against you.
  • Lojistic reserves the right to amend this program at will and without notice.
  • Lojistic reserves the right to discontinue this program at any time without notice.
  • You may only exploit, investigate, or target vulnerabilities against your own accounts.
  • Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Lojistic.
  • By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than Lojistic via our Bug Bounty Process.