Lightspark Bug Bounty Program

Introduction

We're Lightspark, a company dedicated to next-gen infrastructure for open payments on the Internet. We're building an always-on, universal payment network, to make moving money easy, no matter who you are or where you live. Security is critical to everything we do, and we're committed to working with hackers to detect and fix vulnerabilities as soon as possible. Thank you for helping us secure the future of payments!

Before submitting your report, please review the guidelines provided below, and for more information about Lightspark, check out https://www.lightspark.com/

Program Highlights

• Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor
• Platform Standards: Fully compliant with Platform Standards
• Top Response Efficiency: This program's response efficiency is above 90%
• Managed by HackerOne with Collaboration Enabled and Retesting

Response Times

Average Response Metrics:

• Average time to first response: 1 day, 2 hours
• Average time to triage: 2 days, 21 hours
• Average time to bounty: 1 week, 6 days
• Average time from submission to bounty: 2 weeks, 2 days
• Average time to resolution: 2 weeks, 6 days

Rewards

Rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). These are general guidelines, and reward decisions are up to the discretion of Lightspark.

Scope

In Scope Testing Targets

For testing the product at https://app.lightspark.com:

• You can sign up for an account and use the service in Test Mode
• The API endpoint is located at https://api.lightspark.com/
• You can find the API documentation at https://app.lightspark.com/docs (an account is needed for access)

For testing the product at https://link.uma.me and link.uma.money:

• To sign up for an account, you may use your own information if you choose on https://link.uma.me
• For more information: https://www.uma.money

Scope Exclusions

This program will not accept submissions for assets that are not listed as explicitly in scope.

The following categories are out of scope:

• Known vulnerable libraries without a working PoC: Reports of vulnerable libraries should include a PoC demonstrating that the library is actually exploitable as used in the relevant application
• DoS attacks: Do not perform any action that could affect the availability of our systems, without explicit authorization. This includes, but is not limited to, attacks involving high request volumes.
• support.lightspark.com and [email protected]: The domain support.lightspark.com and the email address [email protected] are out-of-scope. Please do not attempt to use this domain or email address as their use will potentially disqualify you from future rewards.
• Attacks against Spark requiring a malicious SO: At present, attacks requiring a malicious SO are excluded.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• Note that the domain support.lightspark.com and the email address [email protected] are out-of-scope. Please do not attempt to use this domain or email address as their use will potentially disqualify you from future rewards.

Disclosure Policy

• Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines.

Scope Leniency

This program will not accept submissions for assets that are not listed as explicitly in scope.