Responsible Bug Disclosure Policy
At Lojistic, keeping user information secure is a top company priority. While our team works vigilantly to protect the integrity and security of our software, we also recognize the important role that external security researchers play in keeping software systems safe. For this reason, Lojistic offers a Bug Bounty Program with financial rewards following the CVSS (the Common Vulnerability Scoring Standard) format, outlined below.
Submitting a Report
All bug reports should be submitted to email@example.com and will be addressed expediently.
Please refrain from CCing/BCCing bug bounty submissions to multiple addresses and/or distribution lists within the Lojistic organization. This only succeeds in creating unnecessary noise and confusion, and does not result in faster bounty response times. Make sure all submissions are ONLY sent to firstname.lastname@example.org. Failure to abide by this request will result in bounty forfeiture.
When participating in our Bug Bounty Program, you are required to act in good faith, which includes:
- Respecting user privacy — You're authorized to look for bugs, not user data. If you encounter user data during the course of your research stop immediately as any further action is not authorized. Report the issue immediately without saving, copying, transferring, or otherwise retaining the exposed information.
- Avoid automated testing — These are often noisy and disruptive. If you feel you can make a strong argument for running an automated scan, please reach out to our team first.
- Don't cause more harm than good — Never leave a system in a more vulnerable state than when you found it. Any activity that degrades, damages, or destroys information or impacts the stability or user experience of our systems are not authorized. Any DDoS-style activity is prohibited.
Bug Bounty Amounts
Previous bounty amounts are not considered a precedent for future bounty amounts. Duplicate submissions, or submissions that are very similar, are subject to reduced payout amounts. Final bounty payout amount, if any, will be determined by us at our sole discretion. In no event are we obligated to provide a payout for any submission. You are solely responsible for any tax implications related to any bounty payouts you may receive.
Critical Severity Bugs $1,000 - $3,000
- SQL Injection
- Remote Code Execution
- Critical privilege or permission escalation issues
- Critical SSRF vulnerabilities
- Critical authentication vulnerabilities
- And other critical-severity issues
High Severity Bugs $500 - $1,000
- XSS that manipulates customer information
- High severity privilege or permission escalation issues
- Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
- SSRF to an internal service
- Information leaks or disclosure (including customer PII data)
- Authentication vulnerabilities
- And other high-severity issues
Medium Severity Bugs $200 - $500
- XSS vectors that can expose customer information
- Parameter pollution with auth'd side effects
- Server misconfiguration or provisioning errors
- Information leaks or disclosure (excluding customer PII data)
- And other medium-severity issues
Low Severity Bugs $20 - $200
- Mixed content issues
- Parameter Pollution with unauthorized side effects
- Server misconfiguration or provisioning errors
- Other low severity issues, at our discretion
These issues are generally considered out of scope and not included as part of our software bounty program:
- Social engineering
- Unchained open redirects
- Best practices concerns
- Protocol mismatch
- Exposed login panels
- Stack traces
- DDOS attacks
- CSV injection
- Minor CSRF issues (ie. logout csrf)
- Presence of browser autocomplete or save password functionality
- Any non 200 HTTP codes (500, 404, etc.)
- Issues only exploitable through clickjacking
- OPTIONS HTTP method enabled
- Mail configuration (SPF, DKIN, DMARC, etc.)
- Host header injection that does not have an associated exploit
- Missing HTTP security headers (X-Frame-Options, Content-Security-Policy-Report-Only, etc.)
- Brute force attacks
- Reports of spam (ie. sending emails without rate limits)
Infrastructure issues, including:
- SSL issues like SSL Forward Secrecy or weak/insecure cipher suites
- Server configuration issues (e.g. open ports, TLS versions, etc.)
- DNS configuration issues
- Software version leakage (eg. web server or OS version)
- Any bugs that do not provide a security risk
- Submissions from current employees, or former employees within one year of their departure from Lojistic
The Lojistic Responsible Bug Disclosure policy applies to the following domains and subdomains:
Vulnerabilities discovered on other Lojistic properties should still be reported following the guidelines above, however, may be ineligible for a financial reward.
Any information you receive or collect about us, our affiliates, or any of our users, employees or agents in connection with our Bug Bounty Program must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such confidential information, including without limitation any information regarding your submission, without our prior written consent. Please note, not all requests for public disclosure can be approved.
Terms and Conditions
- Any activities conducted in a manner consistent with this policy will be considered authorized conduct and will not be used to initiate legal action against you.
- Lojistic reserves the right to amend this program at will and without notice.
- Lojistic reserves the right to discontinue this program at any time without notice.
- You may only exploit, investigate, or target vulnerabilities against your own accounts.
- Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Lojistic.
- By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than Lojistic via our Bug Bounty Process.