Banner object (1)

Hack and Take the Cash !

722 bounties in database
13/02/2017
Lyst logo

Reward

100 $ 

Lyst

No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Test Accounts

You must only test against accounts that you have created. You may register for accounts as long as you include the suffix +hackerone before the @ in your email address. For example test+hackerone@example.com.

You may be banned for registering accounts without this string in your email address.

Test Cards

We have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.

  • 4024007175579357
  • 4916375378230974
  • 4839456722548214
  • 4556908228877498
  • 4916736231570825

Use the address 921 Front St #100, San Francisco, CA 94111 for all of them.

Rate Limits and Bans

We enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.

If you are banned due to excessive activity please halt requests and wait a short amount of time and the ban will be released automatically.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Examples of vulnerabilities Lyst are particularly interested in hearing

about

Authentication flaws
Cross-site scripting (XSS)
SQL Injection
Cross-site request forgery (CSRF/XSRF)
Mixed content scripts (scripts loaded over HTTP on an HTTPS page, blockable errors only)
Server side code execution
Privilege Escalation
Authorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User)
Clickjacking on authenticated pages with sensitive state changes

Exclusions

While researching, we'd like to ask you to refrain from:

  • Submitting reports on help.lyst.com - we do not host this and issues here should be reported directly to @Zendesk instead.
  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Lyst staff or contractors
  • Any physical attempts against Lyst property or data centers
  • Username enumeration
  • Exposure of social features such as users saved items
  • Missing "best practices" without a clear demonstration of impact in our use case
  • CSRF on login/logout/other non-authenticated content
  • Missing headers
  • Secure and HTTPonly flags on cookies
  • crossdomain.xml misconfiguration without an exploit scenario

Thank you for helping keep Lyst and our users safe!

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019