Lyst
No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
You must only test against accounts that you have created. You may register for accounts as long as you include the suffix +hackerone before the @ in your email address. For example test+hackerone@example.com.
You may be banned for registering accounts without this string in your email address.
We have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.
4024007175579357
4916375378230974
4839456722548214
4556908228877498
4916736231570825
Use the address 921 Front St #100, San Francisco, CA 94111 for all of them.
We enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.
If you are banned due to excessive activity please halt requests and wait a short amount of time and the ban will be released automatically.
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Authentication flaws
Cross-site scripting (XSS)
SQL Injection
Cross-site request forgery (CSRF/XSRF)
Mixed content scripts (scripts loaded over HTTP on an HTTPS page, blockable errors only)
Server side code execution
Privilege Escalation
Authorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User)
Clickjacking on authenticated pages with sensitive state changes
While researching, we'd like to ask you to refrain from:
Submitting reports on help.lyst.com - we do not host this and issues here should be reported directly to @Zendesk instead.
Denial of service
Spamming
Social engineering (including phishing) of Lyst staff or contractors
Any physical attempts against Lyst property or data centers
Username enumeration
Exposure of social features such as users saved items
Missing "best practices" without a clear demonstration of impact in our use case
CSRF on login/logout/other non-authenticated content
Missing headers
Secure and HTTPonly flags on cookies
crossdomain.xml misconfiguration without an exploit scenario
Thank you for helping keep Lyst and our users safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.lyst.lystapp |
| ios_application | 597940518 |
| web_application | *.lyst.com |
| web_application | cdna.lystit.com |
| web_application | mobileapi.lystit.com |
| web_application | *.lystit.com |
| web_application | *.lyst.co |
| Scope Type | Scope Name |
|---|---|
| web_application | help.lyst.com |
This program have been found on Hackerone on 2017-02-13.
FireBounty © 2015-2024
