Details

lichess.org is a free and open source chess server powered by volunteers and donations. Up to 140,000 concurrent people around the world play up to 6 million chess games on lichess.org every day. Read more about Lichess here.

We are a non-profit and don't answer to any shareholders, only our users. That is reflected in our discussions and decisions every day. We care deeply about the security of our platform and the data of our users. We continue to invest time and effort into improving our security, and we believe engaging the HackerOne community will help us further that goal.

If you believe you've found a security issue in our platform, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

HTTP throttling

We have a non-trivial system of rate limiting in place
If you receive HTTP 429 Too Many Requests, slow down
Up to 180 requests per minute is fine for most endpoints, except for those that test passwords and send emails
If your IP is banned, email [email protected] with your IP and refer to this program to get unbanned (this may take some time so try hard to avoid it)

Rewards

This program does not provide monetary rewards for bug submissions.

Lichess is a non-profit, and our only income is from user donations. Here is our budget. This is the first time we're running a vulnerability disclosure program, and we're not sure what to expect. We will try to react to incoming reports as quickly and professionally as we can. For valid reports, we would be happy to add your name (or a pseudonym) and a thank you on our Thank you! page.

Response Targets

Lichess aims to meet the following response targets:

Time to first response: 1 day after report submission
Time to triage: 2 days after report submission
Time to resolution: 30 days

Disclosure

We aim to disclose all valid vulnerabilities through the HackerOne platform once the issue has been confirmed and resolved
Vulnerabilities may be partially disclosed through GitHub activity in our public repository

Program Rules

This bug bounty program is for a production environment. It is therefore extremely important to be aware of, and follow, the rules below, in addition to using common sense.

Perform testing only on assets that are included in the defined scope of the program
Make good faith efforts to avoid privacy violations, destruction of data, interruption or degradation of service, and any annoyance or inconvenience to Lichess users
Do not create more than 5 user accounts unless you get explicit and individual permission to do so
If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept
Cease testing and submit a report immediately if you encounter any private user data during testing
All publicly released 0 day exploits have a blackout period of 7 days before they will be accepted in this program
Do not publicly discuss or publish any vulnerability before we have disclosed the report in HackerOne
Provide an appropriate level of detail with reproducible steps so that the issue can be reproduced
Please include relevant HTTP requests/responses in the report. This will help us to triage reports more effectively
Submit one vulnerability per report, unless you need to chain vulnerabilities to show impact
All forms of social engineering (e.g. phishing, vishing, smishing) are strictly prohibited
Do not perform any infrastructure Denial of Service attacks

Exclusions

Please do not submit issues regarding:

Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability
Findings from automated tools without providing a Proof of Concept
(D)DoS
Missing X-Content-Type-Options, Referrer-Policy or Feature-Policy headers
Non-sensitive data disclosure, including software version information, confirmation that a specific email address is in use, confirming the existence (but not content) of sensitive information
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Previously known vulnerable software or libraries without a working Proof of Concept
Vulnerabilities requiring access to a user’s browser, or a smartphone, or email account
CSRF from local files (file://) using https://bugzilla.mozilla.org/show_bug.cgi?id=1608391
Cheating at puzzles, including /training, /racer, /storm, /streak and /learn. There are no leaderboards so we don't need to moderate those.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Lichess and our users safe!

HTTP throttling

We have a non-trivial system of rate limiting in place

If you receive HTTP 429 Too Many Requests, slow down

Up to 180 requests per minute is fine for most endpoints, except for those that test passwords and send emails

If your IP is banned, email [email protected] with your IP and refer to this program to get unbanned (this may take some time so try hard to avoid it)

Rewards

This program does not provide monetary rewards for bug submissions.

Program Rules

This bug bounty program is for a production environment. It is therefore extremely important to be aware of, and follow, the rules below, in addition to using common sense.

Perform testing only on assets that are included in the defined scope of the program

Make good faith efforts to avoid privacy violations, destruction of data, interruption or degradation of service, and any annoyance or inconvenience to Lichess users

Do not create more than 5 user accounts unless you get explicit and individual permission to do so

If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept

Cease testing and submit a report immediately if you encounter any private user data during testing

All publicly released 0 day exploits have a blackout period of 7 days before they will be accepted in this program

Do not publicly discuss or publish any vulnerability before we have disclosed the report in HackerOne

Provide an appropriate level of detail with reproducible steps so that the issue can be reproduced

Please include relevant HTTP requests/responses in the report. This will help us to triage reports more effectively

Submit one vulnerability per report, unless you need to chain vulnerabilities to show impact

All forms of social engineering (e.g. phishing, vishing, smishing) are strictly prohibited

Do not perform any infrastructure Denial of Service attacks

Exclusions

Please do not submit issues regarding:

Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability

Findings from automated tools without providing a Proof of Concept

(D)DoS

Missing X-Content-Type-Options, Referrer-Policy or Feature-Policy headers

Non-sensitive data disclosure, including software version information, confirmation that a specific email address is in use, confirming the existence (but not content) of sensitive information

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Previously known vulnerable software or libraries without a working Proof of Concept

Vulnerabilities requiring access to a user’s browser, or a smartphone, or email account

CSRF from local files (file://) using https://bugzilla.mozilla.org/show_bug.cgi?id=1608391

Cheating at puzzles, including /training, /racer, /storm, /streak and /learn. There are no leaderboards so we don't need to moderate those.

Safe Harbor

Thank you for helping keep Lichess and our users safe!