Banner object (1)

Hack and Take the Cash !

797 bounties in database
  Back Link to program      
08/03/2018
LifeOmic logo
Thanks
Gift
Hall of Fame
Reward

Reward

LifeOmic

LifeOmic looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Everything you need to know to start hacking - IMPORTANT

We have built a hacker documentation site that outlines things like account creation, main points of entry, our tech stack, and fake test data. Let us know if you need anything added to make it easier to hack. Check it out here:

https://security.lifeomic.com/bugbounty/ __

Please only use your@wearehackerone.com email addresses for new account creation. Multiple accounts can be self created using [username]+[any_identifier]@wearehackerone.com

Communication

We have set up a slack workspace for you to use to collaborate with us and other LifeOmic hackers. We will occasionally announce new features/products available for testing here. Unless the question is sensitive, please try to ask in a open channel so all hackers have visibility. Please be patient as our response times may vary.

Get access here: Slack Invite Link __

Rewards

This is really the most important part right?

We have designed limited-edition hacker challenge coins for each severity level (Low-Critical) and will ship one of the coins out to you for your first valid finding of each severity level, plus award the corresponding bounty amount. To keep you coming back for more, every calendar year we will be rolling out new designs so you will be eligible to receive a new coin each year for the corresponding severity level.

Critical | High | Medium | Low
---|---|---|---
Critical Coin + $1500 | High Coin + $750 | Medium Coin + $200 | Low Coin

Our 2020 Coins:

{F676698}

Ratings: We decide the severity rating based on true impact. The more damage you could do or data you can access, the higher the reward will be. Unlike traditional programs and because we are mostly serverless, an RCE may not actually be a critical(unless you can get to sensitive data, pivot, etc), however a serious IDOR or business logic flaw could be. Show us your best impact.

Found the same vulnerability in multiple areas? If our fix works to solve the issue across all occurrences of the bug, we will pay out for a single occurrence of the bug. Example: A outdated javascript library allows for a xss. The library is used on both subdomain1.dev.lifeomic.com and subdomain2.dev.lifeomic.com . Our fix of patching the library would fix the issue across both subdomains so we will pay the hacker for the first report and mark the second as a duplicate of the first. Have questions? Hit us up on our slack instance.

Program Rules

  • Please provide detailed reports with reproducible steps.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • If you are able to obtain access to production data, including PHI __, please do NOT pivot internally, and do NOT exfiltrate any sensitive data. If you find a bug of this nature, please report it first and wait for instructions on how to proceed.

Known or Accepted Issues

  • RCE in User-Defined Functions - We know this exists and we many receive reports on it but need you to take it a step further. UDF's are running on a AWS lambda function so to have a valid report you must get senstive data or do something impactful with it. If you can get an AWS key from the lambda you are permitted to use it to try to achieve this. If you can show true impact here, more than just RCE on the lambda, please report it.
  • Forgot password user enumeration - we are working on a long term fix
  • Token expiration - Tokens (except refresh tokens), should only last 60 minutes. If you find something otherwise, please report for review.
  • Travis keys - They should all be encrypted. If you find an unencrypted key, please report it.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

  • Internal IP exposure, unless you can do something impressive with it
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • CORS Misconfiguration or Host Header Injection (unless a PoC is provided that shows impact without user interaction)
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS, DDoS).
  • Brute-force / Rate-limiting
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Self-XSS
  • SPF/TXT records
  • RCEs without access to sensitive data(namely RCEs in User-Defined Functions that do not provide access to PII or PHI, feel free to test AWS keys you may find here)

Response Targets

We understand no one likes to wait. LifeOmic will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 5 business days
  • Time to triage (from report submit) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep LifeOmic and our users safe!

Thank you for your work in keeping LifeOmic safe for everyone. We’ve been so happy with your findings that we are now rewarding bounties for submissions!

If you would like an invitation to the private program, please email security@lifeomic.com with the title “Invitation to Private Program.”

We’re excited to see what you have in store for us this year!

Happy Hacking!

In Scope

Scope Type Scope Name
web_application

*.infra.lifeomic.com

web_application

*.dev.lifeomic.com

web_application

*.dev.jupiterone.io

web_application

https://github.com/lifeomic/cli

web_application

com.lifeomic.lifefasting

web_application

com.lifeomic.lifeextend

web_application

com.lifeomic.life

web_application

com.lifeomic.LIFEExtend

Out of Scope

Scope Type Scope Name
web_application

*.us.lifeomic.com

web_application

https://lifeapps.io

web_application

https://jupiterone.io/

web_application

https://support.jupiterone.io

web_application

info.lifeomic.com

web_application

info.jupiterone.io

web_application

jupiterone.com

web_application

lifeomic.com


This program crawled on the 2018-03-08 is sorted as bounty.

FireBounty © 2015-2020

Legal notices