If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action for covered activities, and hope that we can compensate you for your efforts to make our products more secure.

Rules

• Use good judgment. If you find a vulnerability, don 't run it in production. Instead, use our non-production environment at legalrobot-uat.com.
• Again, don 't run tests against our production domain, legalrobot.com.
• Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data.
• Never attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).
• Do not interact with other users.
• Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create in our non-production environment are likely OK as long as they don 't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.
• Do not perform any research or testing in violation of law.
• Don 't ask for updates on a report or cross-post. Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.

Helpful Hints

• Our www subdomain is all static content, focus on the app subdomain.
• Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.
• We don't use cookie-based authentication.
• We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).
• We use Stripe __as our payment processor. See the testing documentation __for test credit card numbers that will result in a successful transaction in our non-production environment.
• Disputing a live Credit Card transaction will get you immediately banned and no longer exempted from legal action.
• It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).
• When possible, we post about unresolved bugs here: app.legalrobot.com/roadmap __. Check the"Known Issues" section before submitting a report.

Destructive/Invasive Attacks

All of the data in our non-production environment (legalrobot-uat.com) is non- sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that we cannot reproduce in production (legalrobot.com) will not be accepted.

Ineligible Reports

• Anything from an automated scan, anything that is already public, or anything not under our control (Intercom chat box, Disqus blog comments, Google Analytics, etc).
• Version disclosure, unless it leads to a vulnerability.
• Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.
• Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).
• Social engineering, phishing, spear phishing, etc. including attacks that require self-exploit.
• Header injection, unless you can show how they can lead to stealing user data.
• Login/logout CSRF, or lack of CSRF tokens.
• Non-HTTPS links or links to dead websites.

Disclosure

In the interest of transparency, it is our policy to at least ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we 're happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we'll also do Full Disclosure if there is a possibility that we've been unfair to a researcher (marked as Spam, Locked Report, etc).

Duplicates

We want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.

Safe Harbor

To encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy by legitimate security researchers. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA) and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against legitimate security researchers for circumventing the technological measures we have used to protect the applications in scope.

In case of any conflict between the terms of this policy and our Terms of Service __, this policy will prevail.

If legal action is initiated by a third party against you and you are a legitimate security researcher that has complied with this policy, we will make it known that your actions were conducted in compliance with this policy. Contact us at [security@legalrobot.com](https://hackerone.com/mailto:security@legalrobot.com "security@legalrobot.com")) for assistance.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.

You are expected, as always, to comply with all applicable laws.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

Questions

Always feel free to ping us at security@legalrobot.com if you have any questions or want to check if we already know about an issue before you go to the trouble of creating a full PoC and bug report on HackerOne.

Thanks & Compensation

We believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily acknowledge your contribution. We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.