Every day new security issues and cyber security attacks are created. LogMeOnce employs state-of-the-art security developments by working with security researchers and companies. The purpose of this document is to outline the terms and conditions under which we will pay bounties; for ethically reported bugs.
Keeping user information safe and secure is a top priority and a core principle at LogMeOnce. We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all LogMeOnce employees and users.
LogMeOnce provides rewards to vulnerability reporters at its discretion (see properly “Reporting”). Our reward is $30 USD for low impact, $50 USD for medium impact. Reward amounts may vary depending upon the severity of the vulnerability reported and the quality of the report. Keep in mind that this is not a contest or competition.
Applications in Scope
Externally facing LogMeOnce solutions and currently supported LogMeOnce products are in scope.
Eligibility and Responsible Disclosure
To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:
- Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service);
- Do not access or modify our data or our users’ data, without the explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
- Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to LogMeOnce;
- Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners will not result in any bounty or award since those are explicitly out of scope;
- Share the security issue with us in detail;
- Give us a reasonable time to respond to the issue; and
- Otherwise comply with all applicable laws.
We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability is not permitted and will cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.
We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
The following issues are outside the scope of our rewards program:
- Our policies on the presence/absence of SPF/DMARC records.
- Password, email, and account policies, such as email id verification, reset link expiration, password complexity.
- Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
- Login/logout CSRF.
- Attacks requiring physical access to a user’s device.
- Missing security headers which do not lead directly to a vulnerability.
- Missing best practices (we require evidence of a security vulnerability).
- Self-XSS (we require evidence on how the XSS can be used in an attack).
- Host header injections unless you can show how they can lead to stealing data.
- Use of a known-vulnerable library (without evidence of exploitability).
- Issues relating to buggy non-LogMeOnce software.
- Reports from automated tools or scans.
- Reports of spam (i.e., any report involving the ability to send emails without rate-limits).
- Attacks that require the attacker app to have the permission to overlay on top of our app (e.g., tapjacking).
- Vulnerabilities affecting users of outdated browsers or platforms.
- Social engineering of LogMeOnce employees or contractors.
- Any physical attempts against LogMeOnce property or data centers.
- Presence of autocomplete attribute on web forms.
- Missing cookie flags on non-sensitive cookies.
- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept and not just a report from a scanner).
- Any access to data where the targeted user needs to be operating a rooted mobile device.
- Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.
- Any report about how LogMeOnce solutions can be used to serve malware.
- Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope.
- We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty. Pure text injection is out of scope.
- Ability to share links without verifying email.
- Absence of rate-limiting, unless related to authentication.
- Reflected File Download vulnerabilities or any vulnerabilities that let you start a download to the user’s computer are out of scope.
- IP/Port Scanning via LogMeOnce services unless you are able to hit private IPs or LogMeOnce servers.
- Devices (ios, android, desktop apps) not getting unlinked on password change.
- Hyperlink injection or any link injection in emails we send.
- Creating multiple accounts using the same email is also out of scope.
- Phishing risk via unicode/punycode or RTLO issues.
- Being able to upload files with the wrong extension in chooser.
- Editable Github wikis.
Notes on SSRF Submissions
Before submitting an SSRF report, please ensure that the response you are receiving is neither:
- HTTP/1.1 403 Forbidden
Either of these responses usually indicates that your request was blocked and is not a valid SSRF.
Consequences of Complying with This Policy
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with LogMeOnce’s Bug Bounty policy, LogMeOnce will take steps to make it known that your actions were conducted in compliance with this policy.
The Fine Print
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We will not apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. LogMeOnce employees and their family members are not eligible for bounties.
Send all details to [email protected] with the subject line “LogMeOnce Vulnerability Disclosure”.
Please include a valid business email address, and social media profile.
Except as otherwise stated, there are no exceptions to this policy.
Procedure Retention Period: Permanently, or until superseded.
Revision/Review Cycle: Annual
Note that this policy/procedure can be revised at any time by the owner or other authorized party. The time period noted here established the maximum time that can elapse since issue date before the procedure is at least reviewed for accuracy and relevancy.
Revision Date: 08-2020