Introduction

No technology is perfect, and Localize believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue or vulnerability, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

While researching, we'd like to ask you to refrain from testing against our production environment (localizejs.com and all subdomains). Instead, please test against our staging environment: https://localizestaging.com

Reports related to the following are also not eligible for reward:

• DDoS and DoS
• Request flooding
• Rate limit bypass
• Token leakage to 3rd party (unless such leak is critical)
• Reflected XSS (stored XSS reports are welcomed)
• DMARC / SPF / Email spoofing (unless critical)
• Brute force attacks
• Do not test the help/chat widget (external service, out of scope)
• Do not test the Help Center, help.localizejs.com (external service, out of scope)

IMPORTANT: This program will not pay bounties on reports that do not pose a security risk to users of the application. (For example, we will not award bounties for application bugs, UNLESS the bug can be exploited to compromise account security or result in inappropriate data disclosure)

Eligibility

You will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Localize security team has 30 days to respond to the report, and up to 90 days to implement a fix base on the severity of the report.

Please allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Localize brand, will result in immediate removal from the program.

• Any vulnerability found must be reported no later than 24 hours after discovery.
• You are not allowed to disclose details about the vulnerability anywhere else.
• You must avoid tests that could cause degradation or interruption of our production service.
• You must only test against non-production endpoints: https://localizestaging.com and https://app.localizestaging.com and all subdomains.
• You will not be eligible for reward if you test against production and removal from the program will be considered.

Rewards

Localize may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD, and our maximum rewards is $1,000 USD. Reward amounts may vary depending upon the severity of the vulnerability reported.

The following table outlines the average rewards for specific classes of vulnerabilities:

• Remote Shell / Command Execution: $1,000
• Significant Authentication Bypass: $500
• Application Permissions Bypass $200
• Local file Inclusion $200
• SQL Injection $200
• Insecure Direct Object References $200
• Server Side Request Forgery $150
• CSRF (site wide) $100
• XSS $50

Reports that include information about how the vulnerability can be exploited in the wild will receive higher reward amounts than vulnerabilities with low likelihood of exploitation.

To qualify for a reward under this program, you should:

1. Be the first to report a vulnerability.
2. Send a clear textual description of the report along with steps to reproduce the vulnerability.
3. Include attachments such as screenshots or proof of concept code as necessary.
4. Disclose the vulnerability report directly and exclusively to us.

A good bug report should include the following information at a minimum:

• List the URL and any affected parameters
• Describe the browser, OS, and/or app version
• Describe the perceived impact. How could the bug potentially be exploited?

Exceptions & Rules

Our bug bounty program is limited strictly to technical security vulnerabilities of Localize services, within Localize's Staging environment, listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed. Please see the "Exclusions" section above for issues that will not be considered.