Our customers trust us to keep their data secure and confidential. We take security seriously and work constantly to ensure that trust is well-founded. Have something to report? Please reach out to us at support@leadliaison.com
Responsible disclosure
We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported, and only the very first report will be considered.
You can report vulnerabilities by contacting support@leadliaison.com. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.
While we do accept XSS reports for form entries, any submission that is not against staging or athena and is placing fake information into client accounts will not be considered for reward.
Any reports against captello.com are not in scope. The infrastructure is identical between the 2 domains so any reports you could make against captello.com also applies to leadliaison.com
Coverage
*.leadliaison.com
Specifically:
athena.leadliaison.com
staging.leadliaison.com
Exclusions
*.captello.com
www.leadliaison.com
wiki.leadliaison.com
email.leadliaison.com
status.leadliaison.com
box.captello.com
Accepted vulnerabilities are the following
Cross-Site Scripting (XSS)
Open redirect
Cross-site Request Forgery (CSRF)
Command/File/URL inclusion
Authentication issues
Code execution
Code or database injections
This bug bounty program does NOT include
Account/email enumerations
Denial of Service (DoS)
Attacks that could harm the reliability/integrity of our business
Spam attacks
Clickjacking on pages without authentication and/or sensitive state changes
Mixed content warnings
Lack of DNSSEC
Content spoofing / text injection
Timing attacks
Social engineering
Phishing
Insecure cookies for non-sensitive cookies or 3rd party cookies
Vulnerabilities requiring exceedingly unlikely user interaction
Exploits that require physical access to a user’s machine Missing
security headers which do not lead directly to a vulnerability
Missing best practices (we require evidence of a security vulnerability)
Automated scanning must be limited to 1 request per second (1rps) without prior agreement, and all bug bounty details must remain confidential.