Policy

Lob looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Rewards

These values are indicative and we reserve the right to award a different amount or whether a reward should be granted at all. At the end of the day we care about protecting our users' data, and the rewards correspond to how much user data is put at risk by your findings.

We typically reward lower amounts for low-quality reports without sufficient details, vulnerabilities that require significant user interaction, or vulnerabilities that only work on outdated browsers and platforms. We also might pay higher rewards for clever or severe vulnerabilities. We aim to pay out rewards within two weeks of triage. Here are some example rewards for vulnerabilities affecting the core Lob application:

|Vulnerabilities|Reward|

|-|-|

|RCE*|$5000|

|SQLi, SSRF*, LFI, etc|$2500|

|XSS, CSRF on sensitive actions, etc|$500|

|Application logic resulting in data exposure, Privilege escalation, CSRF on non-sensitive actions, etc|$100-$500|

|Minor misconfigurations, mixed-content issues, other low severity issues|$100|

RCE Note: One of the most likely places in our architecture for a RCE to occur is in our content rendering pipeline. As a result we have sandboxed all rendering, such that even if you have full code execution you cannot read the mail content of other customers. Therefore RCEs in our rendering pipeline will only pay out $1500, unless you can find a sandbox escape to read other customers' data, which would then qualify for a full $5000. Any RCE outside of our rendering pipeline would also get a full $5000.

SSRF Note: There are many places in our application that accept an external url as input and fetch it. This is intentional behavior. For your SSRF ticket to be triaged as valid you must be able to access a host on our internal network.

Program Rules

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

• Only do security testing from accounts with a "@wearehackerone.com" email tied to it. Accounts with this email get full account features enabled (i.e. teams, etc). If you test from a non-hackerone account we will deactivate your Lob account.

• Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts

• Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Lob

• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services, including denial of service

• Do not submit vulnerability reports or attempt to escalate tickets through our customer support channels - we will only triage and pay out for reports through Hackerone.

We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability details or threat of releasing the vulnerability or any exposed data to the public).

You are welcome to blog about any issues you’ve found, after the issues have been resolved. We appreciate any advance notice and/or blog content you can share with us prior to publication. If you disclose an issue prior to resolution you will be removed from the program.

Lob employees and their family members are not eligible for bounties.

Out-of-scope Vulnerabilities

• General presence/absence of headers, DNS records, TLS versions, cookie flags, or other best practices, without concrete evidence of exploitability

• Password, email and account policies, such as email id verification, reset link expiration, password complexity, etc

• Attacks requiring physical access to a user's computer

• Reports from automated tools or scans

• Reports of spam

• CSV injection

• Directory listing

• Denial of service

• Vulnerabilities affecting users of outdated browsers or platforms

• Social engineering of Lob employees, contractors, or users

• Absence of rate limiting, unless related to authentication

• Hyperlink injection or any link injection in emails

• "rel=noopener" or other tab-nabbing issues

• Content/text spoofing vulnerabilities

• Self-XSS

• login/logout CSRF, unless as part of a larger exploit chain

• xmlrpc reports for Wordpress properties

• user/admin enumeration

• editable github wikis

Safe Harbor

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service and Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with Lob's bug bounty policy, Lob will take steps to make it known that your actions were conducted in compliance with this policy.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not Lob), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.

We will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.

Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Lob reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.