LogSnitch looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
We ask that you:
Only do security testing from accounts with a "@wearehackerone.com" email tied to it.
Only interact with your own accounts. Do not access or modify our data without explicit permission of the owner.
Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to LogSnitch.
Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services, including denial of service.
Do not submit vulnerability reports or attempt to escalate tickets through our customer support channels - we will only triage reports through Hackerone.
We will not negotiate in response to duress or threats (e.g., we will not negotiate under threat of withholding the vulnerability details or threat of releasing the vulnerability or any exposed data to the public).
You are welcome to blog about any issues you’ve found, after the issues have been resolved. We appreciate any advance notice and/or blog content you can share with us prior to publication. Please do not disclose an issue prior to resolution or you will be removed from the program.
General presence/absence of headers, DNS records, TLS versions, cookie flags, or other best practices, without concrete evidence of exploitability
Password, email and account policies, such as email id verification, reset link expiration, password complexity, etc
Attacks requiring physical access to a user's computer
Reports from automated tools or scans
Reports of spam
CSV injection
Directory listing
Denial of service
Vulnerabilities affecting users of outdated browsers or platforms
Social engineering of LogSnitch employees, contractors, or users
Absence of rate limiting
Hyperlink injection or any link injection in emails
"rel=noopener" or other tab-nabbing issues
Content/text spoofing vulnerabilities
User/admin enumeration
Editable github wikis
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service and Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with LogSnitch's policy, LogSnitch will take steps to make it known that your actions were authorized.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not LogSnitch), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.
We will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.
Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
Scope Type | Scope Name |
---|---|
web_application | api.logsnitch.com |
web_application | console.logsnitch.com |
web_application | flashpaper.logsnitch.com |
web_application | logsnitch.com |
web_application | mta-sts.logsnitch.com |
web_application | mta-sts.mail.logsnitch.com |
web_application | support.logsnitch.com |
web_application | www.logsnitch.com |
Firebounty have crawled on 2021-07-28 the program LogSnitch on the platform Hackerone.
FireBounty © 2015-2024