No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
You must only test against accounts that you have created. You may register for accounts as long as you include the suffix +hackerone before the @ in your email address. For example firstname.lastname@example.org.
You may be banned for registering accounts without this string in your email address.
We have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.
Use the address 921 Front St #100, San Francisco, CA 94111 for all of them.
We enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.
If you are banned due to excessive activity please halt requests and wait a short amount of time and the ban will be released automatically.
Cross-site scripting (XSS)
Cross-site request forgery (CSRF/XSRF)
Mixed content scripts (scripts loaded over HTTP on an HTTPS page, blockable errors only)
Server side code execution
Authorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User)
Clickjacking on authenticated pages with sensitive state changes
While researching, we'd like to ask you to refrain from:
help.lyst.com- we do not host this and issues here should be reported directly to @Zendesk instead.
Thank you for helping keep Lyst and our users safe!
Contact us if you want more information.