Responsible Disclosure Policy
Ledn's Bug Bounty Program is currently in private mode with HackerOne. If you want to be included, contact email@example.com. If you do not want to use HackerOne, all reports sent directly to Ledn must be encrypted using PGP: 443B976BCBCDB3DB9F2D18828A690EE848D0CB3D.
We are committed to maintaining the security of our systems and protecting sensitive information from unauthorized disclosure. Whenever possible, we endeavour to go beyond and above industry standards, to innovate and establish new security standards to keep up with the ever-evolving world of cyber-threats.
This policy describes what systems are in scope, the allowed types of security tests and scans, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
If you make a good faith effort to follow this policy during your security research, we will consider your research to be authorized, helpful and no legal action will be pursued against you. We look forward to working with you to understand and quickly resolve any identified issue.
To comply with this policy, you must not:
- test any system other than the systems set forth in the ‘Scope’ section,
- disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ section,
- engage in physical testing of facilities or resources,
- engage in social engineering,
- send any unsolicited emails to our users, including "phishing" messages,
- execute or attempt to execute any "Denial of Service" or "Resource Exhaustion" attacks,
- introduce malicious software,
- test in a manner which could degrade the operation of our systems; or intentionally impair, disrupt, or disable our systems,
- test third-party applications, websites, or services that integrate with or link to or from our systems,
- delete, alter, share, retain, or destroy our data, or render data inaccessible, or,
- use an exploit to exfiltrate data, establish command line access, establish a persistent presence on our systems, or "pivot" to other Ledn systems.
You acknowledge and agree that you must:
- cease testing upon Ledn's request,
- cease testing and notify us immediately upon discovery of a vulnerability,
- cease testing and notify us immediately upon discovery of an exposure of nonpublic data,
- view and store nonpublic data only to the extent necessary to document the presence of a potential vulnerability,
- purge any stored nonpublic data after reporting a vulnerability.
The following systems / services are in scope:
Any services not explicitly listed above are excluded from scope. Additionally, vulnerabilities found in Ledn systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to its disclosure policy (if any).
The following systems / services are out of scope:
- AWS Cognito related issues
- https://ledn-resources.s3.amazonaws.com/ (public S3 buckets are not considered a vulnerability when used to serve static assets, which are public in nature)
Reporting a Vulnerability
Disclosure reports can be emailed to firstname.lastname@example.org.
Reports should provide a detailed, technical summary of the vulnerability, proof of concept where applicable, as well as any tools or exploits necessary to reproduce the vulnerability. Your report may include non-executable files, preferably in a compressed format.
Reports may be submitted anonymously, or with contact information with preferred methods of communication if open to being contacted by us for follow up questions about the disclosure. Researchers guarantee that materials included as part of the disclosure are not in violation of any intellectual property laws and give Ledn non-exclusive, royalty-free, worldwide license to use, reproduce, create derivative works and publish information included in the report in perpetuity.
Under the circumstances that we are unable to adequately address a vulnerability disclosure in a timely manner, we request that you refrain from publicly disclosing any information which may allow attackers to take advantage of the vulnerability for at least 180 days from the date of our receipt of vulnerability disclosure. If you do believe the disclosure should be made previous to the expiration of that period, please contact us to coordinate in advance.
Contact information (if provided) by the security researchers will not be shared with any third-party institution and can be removed upon request.
We appreciate your help and assistance. To show our gratitude we provide financial rewards for vulnerability reports that comply with this policy. All reward amounts will be at the discretion of our security team. Any violations of this policy will make you ineligible for a reward.
If you have any questions or concerns regarding this policy, specific test methods you are considering employing or what may or may not be considered in "Scope", please contact email@example.com. We strongly encourage security researchers to communicate with us as we are committed to addressing security and privacy issues in an adequate and timely manner.