Details

Lovable Vulnerability Disclosure Program

Introduction

Lovable is on a mission to democratize coding so that anyone can build digital apps with just text or voice - and solid security is a crucial part of this journey. We want to provide the most secure and trusted vibecoding experience to every user, and for that, we need your help. We trust you to find security problems and report them responsibly to our vulnerability disclosure program. While this program does not offer bounty, we are actively working on starting a private bug bounty program, and will invite the best reporters to it when it goes live.

Program highlights

Open Scope: Accepts reports for all owned assets based on impact, even if not listed in scope.
Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.
Coordinated Vulnerability Disclosure: Standard coordinated vulnerability disclosure policy.
Top Response Efficiency: This program's response efficiency is above 90%.

Response Metrics

Average time to first response: 1 day, 3 hours
Average time to triage: 2 days, 20 hours
Average time to resolution: 1 month, 4 days

Disclosure Policy

Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Lovable.
Follow HackerOne's disclosure guidelines.

Program Rules

Always provide detailed reports with reproducible steps. A short video with PoC is the best way to demonstrate the exploit.
Avoid automated scanning, DAST, fuzzing lovable API and endpoints.
Social engineering (e.g., phishing, vishing, smishing) is strictly prohibited.
Only interact with accounts you own or with the explicit permission of the account holder.
Never target real users or companies. Consult with Lovable staff before performing any destructive or sensitive actions. While the program has Safe harbour policy, it's important to avoid any business impact on user, data, availability related to your testing.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact. Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
Always add session header to identify as legitimate researcher.

Identifying yourself as a researcher

Researchers should add the following header to all HTTP requests:

X-HackerOne-Research: [H1 username]

While you're welcome to create multiple accounts for research purposes, we ask that you use your HackerOne email alias when doing so.

Focus of the Program

Lovable Editor (lovable.dev) application security
Generic project takeover via prompt injection (e.g. injections delivered via Lovable Cloud DB)
Development sandbox escape or takeover
Cross-tenant data access
Coding agent escape (get access to underlying APIs or resources)
Broken access controls or privilege escalation within workspace

Out-of-scope

This does not mean we do not care about the problems below, but we want to focus VDP on novel exploits:

TLS, infrastructure configuration, security headers, clickjacking issues unless can be exploited.
AI or tooling prompt leakage.
Unsafe AI instructions.
AI jailbreaking, prompt injection, other types of AI attacks without proven impact.
Injecting malicious code, vulnerabilities, or files into websites built with Lovable is out of scope. As creators fully control their own sites, self-reflected vulnerabilities (such as adding alert(1)) do not represent valid security issues in the Lovable platform. Reports must demonstrate a clear impact on other users or the Lovable infrastructure to be considered in scope. Findings limited to a reporter's own website or any customer-built apps (*.lovable.app, except if created by Lovable) will be marked as Not Applicable (N/A).
Input validation issues unless part of a successful exploit chain.
Information disclosure unless part of a successful exploit chain.
Vulnerable dependencies or components unless part of a successful exploit chain.

We appreciate your time and effort and thank you for helping keep Lovable and our users safe!

Introduction

Program highlights

Open Scope: Accepts reports for all owned assets based on impact, even if not listed in scope.

Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.

Coordinated Vulnerability Disclosure: Standard coordinated vulnerability disclosure policy.

Top Response Efficiency: This program's response efficiency is above 90%.

Response Metrics

Average time to first response: 1 day, 3 hours

Average time to triage: 2 days, 20 hours

Average time to resolution: 1 month, 4 days

Program Rules

Always provide detailed reports with reproducible steps. A short video with PoC is the best way to demonstrate the exploit.

Avoid automated scanning, DAST, fuzzing lovable API and endpoints.

Social engineering (e.g., phishing, vishing, smishing) is strictly prohibited.

Only interact with accounts you own or with the explicit permission of the account holder.

Never target real users or companies. Consult with Lovable staff before performing any destructive or sensitive actions. While the program has Safe harbour policy, it's important to avoid any business impact on user, data, availability related to your testing.

Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact. Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).

Always add session header to identify as legitimate researcher.

Focus of the Program

Lovable Editor (lovable.dev) application security

Generic project takeover via prompt injection (e.g. injections delivered via Lovable Cloud DB)

Development sandbox escape or takeover

Cross-tenant data access

Coding agent escape (get access to underlying APIs or resources)

Broken access controls or privilege escalation within workspace

Out-of-scope

This does not mean we do not care about the problems below, but we want to focus VDP on novel exploits:

TLS, infrastructure configuration, security headers, clickjacking issues unless can be exploited.

AI or tooling prompt leakage.

Unsafe AI instructions.

AI jailbreaking, prompt injection, other types of AI attacks without proven impact.

Injecting malicious code, vulnerabilities, or files into websites built with Lovable is out of scope. As creators fully control their own sites, self-reflected vulnerabilities (such as adding alert(1)) do not represent valid security issues in the Lovable platform. Reports must demonstrate a clear impact on other users or the Lovable infrastructure to be considered in scope. Findings limited to a reporter's own website or any customer-built apps (*.lovable.app, except if created by Lovable) will be marked as Not Applicable (N/A).

Input validation issues unless part of a successful exploit chain.

Information disclosure unless part of a successful exploit chain.

Vulnerable dependencies or components unless part of a successful exploit chain.

We appreciate your time and effort and thank you for helping keep Lovable and our users safe!

Lovable VDP

Lovable VDP

Details

Lovable Vulnerability Disclosure Program

Introduction

Program highlights

Response Metrics

Disclosure Policy

Program Rules

Identifying yourself as a researcher

Focus of the Program

Out-of-scope

Lovable Vulnerability Disclosure Program

Introduction

Program highlights

Response Metrics

Disclosure Policy

Program Rules

Identifying yourself as a researcher

Focus of the Program

Out-of-scope