Details

Security Vulnerability Disclosure Program

We encourage individuals outside our organization to help us find security vulnerabilities in our platform. Such individuals may use these guidelines to responsibly disclose issues:

Please write to [email protected] with details of any potential vulnerability in our products, meeting all the below mentioned criteria. We will get back within 48 hours of your submission.
Please refrain from doing security testing in existing customer accounts.
While doing your tests, please ensure that you do not violate our privacy policies, modify/delete unauthenticated user data, disrupt production servers, or degrade user experience.
If your finding is valid and unique, we would be happy to acknowledge your efforts in our Hall of Fame page.

In Scope Domains

run.leadsquared.com
api.leadsquared.com

Excluded Test Cases

Please exclude the following test cases while conducting your tests:

Denial of Service attacks and Distributed Denial of Service attacks
Rate limiting, brute force attack
Missing HTTP security headers and cookie flags on insensitive cookies
Clickjacking / UI Redressing attack
Self-XSS and XSS that affects only outdated browsers
Host header and banner grabbing issues
Automated tool scan reports (Example: Web, SSL/TLS Scan, Nmap scan results etc.)
Login/logout/low-business impact CSRF
Unrestricted file uploads
Open redirects – unless they can be used for actively stealing tokens
User enumeration such as User email, User ID etc.
Session fixation and session timeout
Phishing / Spam (including issues related to SPF/DKIM/DMARC)
Email spoofing
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Missing best practices in SSL/TLS/HSTS configuration
Vulnerabilities that send unsolicited bulk messages (spam)
Vulnerabilities reported by automated tools without analysis or qualification. Reports from automated web vulnerability scanners are acceptable only if you demonstrate the vulnerability is reproducible and has a security impact.
Missing best practices in Content Security Policy
Missing HttpOnly or Secure flags on cookies
Tabnabbing
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Vulnerabilities relying highly on social engineering aspect
Email flooding
Vulnerabilities such as xmlrpc that are no more valid on newer versions

Disclosure Policy

By default, this program is in "PUBLIC NONDISCLOSURE" mode which means: THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!

Security Vulnerability Disclosure Program

We encourage individuals outside our organization to help us find security vulnerabilities in our platform. Such individuals may use these guidelines to responsibly disclose issues:

Please write to [email protected] with details of any potential vulnerability in our products, meeting all the below mentioned criteria. We will get back within 48 hours of your submission.

Please refrain from doing security testing in existing customer accounts.

While doing your tests, please ensure that you do not violate our privacy policies, modify/delete unauthenticated user data, disrupt production servers, or degrade user experience.

If your finding is valid and unique, we would be happy to acknowledge your efforts in our Hall of Fame page.

Excluded Test Cases

Please exclude the following test cases while conducting your tests:

Denial of Service attacks and Distributed Denial of Service attacks

Rate limiting, brute force attack

Missing HTTP security headers and cookie flags on insensitive cookies

Clickjacking / UI Redressing attack

Self-XSS and XSS that affects only outdated browsers

Host header and banner grabbing issues

Automated tool scan reports (Example: Web, SSL/TLS Scan, Nmap scan results etc.)

Unrestricted file uploads

Open redirects – unless they can be used for actively stealing tokens

User enumeration such as User email, User ID etc.

Session fixation and session timeout

Phishing / Spam (including issues related to SPF/DKIM/DMARC)

Email spoofing

Attacks requiring MITM or physical access to a user's device

Previously known vulnerable libraries without a working Proof of Concept

Comma Separated Values (CSV) injection without demonstrating a vulnerability

Missing best practices in SSL/TLS/HSTS configuration

Vulnerabilities that send unsolicited bulk messages (spam)

Vulnerabilities reported by automated tools without analysis or qualification. Reports from automated web vulnerability scanners are acceptable only if you demonstrate the vulnerability is reproducible and has a security impact.

Missing best practices in Content Security Policy

Missing HttpOnly or Secure flags on cookies

Tabnabbing

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)

Vulnerabilities relying highly on social engineering aspect

Email flooding

Vulnerabilities such as xmlrpc that are no more valid on newer versions

LeadSquared

LeadSquared

Details

Security Vulnerability Disclosure Program

In Scope Domains

Excluded Test Cases

Disclosure Policy

Security Vulnerability Disclosure Program

In Scope Domains

Excluded Test Cases

Disclosure Policy