Banner object (1)

4217 policies in database
  Back Link to program      
Lyst logo
Hall of Fame


100 $ 


No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Test Accounts

You must only test against accounts that you have created. You may register for accounts as long as you include the suffix +hackerone before the @ in your email address. For example

You may be banned for registering accounts without this string in your email address.

Test Cards

We have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.

  • 4024007175579357
  • 4916375378230974
  • 4839456722548214
  • 4556908228877498
  • 4916736231570825

Use the address 921 Front St #100, San Francisco, CA 94111 for all of them.

Rate Limits and Bans

We enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.

If you are banned due to excessive activity please halt requests and wait a short amount of time and the ban will be released automatically.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Examples of vulnerabilities Lyst are particularly interested in hearing


Authentication flaws
Cross-site scripting (XSS)
SQL Injection
Cross-site request forgery (CSRF/XSRF)
Mixed content scripts (scripts loaded over HTTP on an HTTPS page, blockable errors only)
Server side code execution
Privilege Escalation
Authorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User)
Clickjacking on authenticated pages with sensitive state changes


While researching, we'd like to ask you to refrain from:

  • Submitting reports on - we do not host this and issues here should be reported directly to @Zendesk instead.
  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Lyst staff or contractors
  • Any physical attempts against Lyst property or data centers
  • Username enumeration
  • Exposure of social features such as users saved items
  • Missing "best practices" without a clear demonstration of impact in our use case
  • CSRF on login/logout/other non-authenticated content
  • Missing headers
  • Secure and HTTPonly flags on cookies
  • crossdomain.xml misconfiguration without an exploit scenario

Thank you for helping keep Lyst and our users safe!

In Scope

Scope Type Scope Name










Out of Scope

Scope Type Scope Name

This program have been found on Hackerone on 2017-02-13.

FireBounty © 2015-2020

Legal notices