Lexul is committed to ensuring the security of our services and customer information. As part of this commitment, we encourage security researchers to contact us to report any potential weaknesses identified in any product, system, or asset belonging to Lexul. This program isn’t intended to represent a monetary bug bounty program and we make no offers of monetary reward or compensation for submitting potential issues. We appreciate your commitment to improving Lexul services.
Program Policy
Security Researchers will disclose potential weaknesses in compliance with the following guidelines:
Do
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Understand when duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Understand multiple vulnerabilities caused by one underlying issue should be combined into a single report.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
- Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.
Don’t
- Don’t cause harm to Lexul, its customers, shareholders, partners or employees.
- Don’t engage in any act that may cause an outage or stop any of Lexul’s services.
- Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
- Don’t store, share, compromise or destroy any Lexul data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify Lexul.
- Don’t conduct fraudulent activity or complete fraudulent financial transactions as part of your research.
Response Targets
Lexul will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|---|
| First Response | 2 |
| Time to Triage | 2 |
| Time to Award | 10 |
| Time to Resolution | Aligned to impact and complexity |
We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
- Lexul does not allow disclosure at this time. Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne’s disclosure guidelines.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.
The following types of vulnerabilities are out of scope for this program:
- Phishing
- Social engineering
- Physical security assessments
- Any form of denial of service (DoS) attack
The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues (we use various solutions to monitor and respond to anomalous traffic)
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Tabnabbing
- Open redirect – unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Sessions not invalidated or devices not unlinked after password change.
- Copy/pasting tool output (ex: WPScan results, SSL Labs links) as a report. A PoC and detailed description on how it can affect a user’s data or Lexul data/infrastructure must be included.
- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages
- Arbitrary File Download
- Mobile Apps
- Local access to user data when operating a rooted mobile device.
- Attacks that require an already compromised system and a malicious actor with escalated privileges
- Attacks that require physical access to or modification of the hardware
- Class and method name leak as a result of disassembly
- Jailbreak detection bypass
- Caching of application screenshot
Please note:
- Any testing that has a negative impact on the availability of our products and services can result in being blocked or banned.
Submission Guidelines
All potential weaknesses submitted must include enough information to reproduce and validate the issue. Documentation should include a detailed summary of the issue, targets, steps performed, screenshots, tools utilized, and any information that will help Lexul during triage.
By following these guidelines and responsibly disclosing any security weaknesses directly to Lexul, we agree not to pursue legal action against you. Lexul reserves its legal rights in the event of noncompliance with program guidelines.
All submissions are to be sent to security@lexul.com.