LendingHome appreciates the work of security researchers and has developed a
program to make it easier to report vulnerabilities and to recognize you for
your effort to make the Internet a better place.
LendingHome asks that you only test on our matrix server which mimics our
production systems (https://www.lh-matrix.com ). Testing on lh-matrix.com will avoid most rate
limits and Web Application Firewall temporary bans. Running through the
initial flow will prompt you to create a new username at the appropriate time
that you can return to. Please create any accounts with
address. You can
create multiple accounts if necessary by using VERP notation, ie:
Out of Scope
The following issues are outside the scope of our program:
- Our policies on the presence/absence of CORS/SPF/DMARC/HSTS records.
- Password, email and account policies, such as email id verification, reset link expiration, password complexity.
- Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
- Attacks requiring physical access to a user's device.
- Missing security headers which do not lead directly to a vulnerability.
- Missing best practices (LendingHome requires evidence of a security vulnerability).
- Self-XSS (LendingHome requires evidence on how the XSS can be used to attack another user).
- Host header injections unless you can show how they can lead to stealing user data.
- Use of a known-vulnerable library (without evidence of exploitability).
- Reports from automated tools or scans.
- Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking).
- Any physical attempts against LendingHome employees, property, or data centers.
- Presence of autocomplete attribute on web forms.
- Missing cookie flags on non-sensitive cookies.
- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept).
- Any access to data where the targeted user needs to be operating a rooted mobile device.
- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML.
- Absence of rate-limiting, unless related to authentication.
- Hyperlink injection or any link injection in emails LendingHome sends.
- Phishing risk via Unicode/Punycode or RTLO issues.
- Being able to upload files with the wrong extension in the chooser.
- Editable Github wikis.
- Subdomain takeovers without a complete proof of concept.
- CMS Application updates within 10 business days of release (e.g., WordPress security releases).
To promote the discovery and reporting of vulnerabilities and increase user
safety, LendingHome asks that you:
- Share the security issue with us in detail
- Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners are explicitly out of scope
- Do not access or modify our data or our users’ data, without the explicit permission from LendingHome
- Only interact with your own accounts or test accounts for security research purposes
- Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to us
- Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service)
- Not be employed by LendingHome or any of its affiliates or an immediate family member of a person employed by LendingHome or any of its affiliates.
- Not be a resident of, or make Submissions from, a country against which the United States has issued export sanctions or other trade restrictions.
- Otherwise comply with all applicable laws.
If (i) you do not meet the eligibility requirements above; (ii) you breach any
of these Program Terms or any other agreements you have with LendingHome or
its affiliates; or (iii) we determine that your participation in the Bug
Bounty Program could adversely impact us, our affiliates or any of our users,
employees or agents, we, in our sole discretion, may remove you from the Bug
Bounty Program and disqualify you from receiving any benefit of the Bug Bounty
Submission and Disclosure
This is a vulnerability disclosure program and therefore we will not be
rewarding bounties on the HackerOne platform.
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct.
LendingHome will not negotiate in response to duress or threats (e.g., we will
not negotiate a payout amount under threat of withholding the vulnerability or
threat of releasing the vulnerability or any exposed data to the public).
By providing a Submission or agreeing to the Program Terms, you agree that you
may not publicly disclose your findings or the contents of your Submission to
any third parties in any way without LendingHome's prior written approval.
We may modify the Program Terms or cancel the Bug Bounty Program at any time.
Firebounty have crawled on 2019-12-12 the program LendingHome on the platform Hackerone.