|Scope Type||Scope Name|
Out of Scope
|Scope Type||Scope Name|
Semmle looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
Please be aware that we have recently updated our scope; please check our in-scope asset list before attempting any testing. Any testing against out of scope domains will be marked as N/A
Semmle will make a best effort to meet the following SLAs for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
Vulnerabilities affecting the following domains are in scope and may qualify for a bounty:
Note: there is no need to request any sign-ups. Only lgtm- com.pentesting.semmle.net has any user access for the purposes of this program, and you may self-register accounts there.
Note: all production sites including semmle.com, _.semmle.com and lgtm.com and .lgtm.com are out of scope_ .
In addition, non-HTTP/HTTPS services on the network 184.108.40.206/28 are also eligible for bounties. This network range represents one of our public networks used for front-end hosting.
Other domains, or subdomains not listed above are not in scope and will not qualify for a bounty.
Semmle’s product is LGTM, an code analysis system which works by retrieving source code from version control systems, (in some cases) building it with some custom tooling, and creating analysis results.
The product comes in two variants: a publicly hosted version (lgtm.com) which anyone is free to use to analyse publicly available projects on common hosting platforms such as Github and Bitbucket; and an enterprise offering suitable for use in corporate environments.
The public version uses Docker containers to isolate the build and analysis environment from the rest of the infrastructure. By nature this environment permits arbitrary code execution by any registered user, so the quality of isolation is a critical part of the security model. The public site includes two user types (user and admin user) as well as anonymous access.
This program includes a dedicated test instance of lgtm.com. In the future it may also offer an accessible version of our enterprise product.
Examples of qualifying vulnerabilities likely to be eligible for a bounty:
The following issues are considered out of scope:
You can contact Semmle with queries about the bug bounty program by emailing firstname.lastname@example.org.
Thank you for helping keep Semmle and our users safe!