Policy

LogSnitch looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Program Rules

We ask that you:

• Only do security testing from accounts with a "@wearehackerone.com" email tied to it.
• Only interact with your own accounts. Do not access or modify our data without explicit permission of the owner.
• Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to LogSnitch.
• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services, including denial of service.
• Do not submit vulnerability reports or attempt to escalate tickets through our customer support channels - we will only triage reports through Hackerone.

We will not negotiate in response to duress or threats (e.g., we will not negotiate under threat of withholding the vulnerability details or threat of releasing the vulnerability or any exposed data to the public).

You are welcome to blog about any issues you’ve found, after the issues have been resolved. We appreciate any advance notice and/or blog content you can share with us prior to publication. Please do not disclose an issue prior to resolution or you will be removed from the program.

Out-of-scope Vulnerabilities

• General presence/absence of headers, DNS records, TLS versions, cookie flags, or other best practices, without concrete evidence of exploitability
• Password, email and account policies, such as email id verification, reset link expiration, password complexity, etc
• Attacks requiring physical access to a user's computer
• Reports from automated tools or scans
• Reports of spam
• CSV injection
• Directory listing
• Denial of service
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering of LogSnitch employees, contractors, or users
• Absence of rate limiting
• Hyperlink injection or any link injection in emails
• "rel=noopener" or other tab-nabbing issues
• Content/text spoofing vulnerabilities
• User/admin enumeration
• Editable github wikis

Safe Harbor

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms of Service and Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with LogSnitch's policy, LogSnitch will take steps to make it known that your actions were authorized.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not LogSnitch), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.

We will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.

Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.