Introduction
Vend by Lightspeed's bug bounty program aims to build stronger relationships with the security community by rewarding security researchers for their work in finding security vulnerabilities in order to keep Vend by Lightspeed and its customers safe.
This page is intended for security researchers. For general information about security at Vend by Lightspeed, please see our main website.
Response Targets
Vend by Lightspeed will make a best effort to meet the following response targets for white hat hackers participating in our program:
- Time to First Response: 2 business days
- Time to Triage: 2 business days
- Time to Bounty: within 10 business days
- Time to Remediate: Up to 90 days (may be dependent on the severity and complexity, excluding extenuating circumstances)
We’ll try to stay transparent and keep you informed about our progress throughout the process.
Disclosure Policy
- Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Vend by Lightspeed.
- Follow HackerOne's disclosure guidelines.
Program Rules
- Check the list of domains that are in scope for useful information for getting started. If it's not in the list, please do not test it without explicit written permission from Vend by Lightspeed's Security team.
- Do not access customer or employee personal information. If you accidentally access any of these, please stop testing and report the issue immediately.
- Limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first original report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded once.
- Testing should only be performed against shops you created and against the URLs in scope.
- You are not allowed to access any private information of any retail stores other than what you've created.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Huge scans using automated tools are strictly prohibited. Any testing that has negative impact on our platform will be ineligible for bounty. In extreme cases, we will block your IP address without further notice or remove you from our program.
- Do not test the physical security of Vend by Lightspeed's offices, employees, equipment, etc
- Do not test using social engineering techniques (phishing, vishing, etc)
- Do not perform DoS attacks.
- Do not perform any research or testing in violation of law.
- Do not negotiate any of Vend by Lightspeed's rules and decisions.
- Do not test any third party services (e.g. support.vendhq.com, Vend by Lightspeed surveys served through e-mail and/or hosted by third-parties, third party integrations used by our clients, etc)
- You are not an employee of Vend by Lightspeed. Vendors should report bugs with security impact directly to Vend by Lightspeed security team.
- Respect our 'Test Accounts' policy and follow Vend by Lightspeed's report format to be eligible for complete rewards.
- Bugs that do not represent any security risks or demonstrate security impact will not be eligible for bounty.
- Vulnerabilities found in third party integrations should be reported to the responsible developer or third party that built the application or service. You may report vulnerabilities in our third party apps under this program if you do not receive any response from the responsible developer.
Creating Test Accounts
Vend by Lightspeed regularly purges accounts that perform suspicious activities on our services. Please ensure that you create test accounts using the HackerOne email alias (ie: [email protected]). Please do not excessively create trial accounts on our systems to perform tests against the sign-up page.
Testing Guidance for Hackers
Vend by Lightspeed will:
- Accept report submissions where non-admin accounts can perform unauthorised “Write” access (create/update/delete) to main areas of Account-based Permission Areas and their sub-areas.
We consider privilege escalation or IDOR issues with “Write” access on specific areas (please refer to the guidance below) as a low severity vulnerability within the scope of the same store account, where the payout is $150. We will reward higher amounts for this type of issue based on severity and impact only when there is direct exploitation on other store accounts.
Type of Vend by Lightspeed User Accounts
| Type | Description |
|---|
| Admin | This is the primary user and account owner of a store (must be your HackerOne email alias) which has full access to main areas of permissions below |
| Non-admin | This could either be a manager, cashier, or others (with customised permissions) that have limited permissions to a store. Please ensure you only provide user emails that belong to you when creating any non-admin accounts. |
Account-based Permission Areas
Main Area: Sell
- Sub-areas:
- Manual Store Credits
- Store Credits for return sale
- Create On Account/Layby sales
Main Area: Catalog
Main Area: Setup
- Sub-areas:
- Users
- Add ons / Integrations
- Loyalty
Report Submission Format
- When reporting vulnerabilities, please consider using the report submission format below with detailed information and reproducible steps:
- Description
- Location/Affected Endpoints
- Reproduction Steps
- Likelihood Analysis
- Impact Analysis
- Risk Rating (Very Low/Low/Medium/High/Critical)
- Likelihood
- Severity of Impact
- Overall Risk Rating
- Recommendation
- References (Optional)
Out of Scope Vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are specifically considered out of scope for our program and considered ineligible for rewards:
- Privilege escalation and Insecure Direct Object References (IDOR) issues that have read/view access to endpoints in the scope of the same retailer store
- CSV injection
- Hyperlink injection
- Content spoofing
- Open redirects without demonstrating additional security impact, such as stealing tokens to an arbitrary domain
- Internationalized domain name (IDN) homograph attack
- HTML Injection
- Tab nabbing
- User or retail stores enumeration
- Login/logout CSRF
- Brute force attacks
- Missing rate limits
- Distributed Denial of Service
- Reports related to self-DoS issues
- Issues related to excessive session timeout
- Reports from automated tools or scans
- Missing cookie flags on non-sensitive cookies
- MITM attacks over insecure HTTP connections
- Presence of autocomplete attribute on web forms
- Attacks requiring physical access to a user's device
- Social engineering techniques (phishing, vishing, etc)
- Fingerprinting/banner disclosure on common/public services
- Mail configuration issues including SPF, DKIM, DMARC settings
- Disclosure of known public files or directories, (e.g. robots.txt)
- Use of a known-vulnerable or deprecated library (without evidence of exploitability)
- Vulnerabilities in third party applications which make use of the Vend API
- Vulnerabilities affecting users of unsupported or outdated browsers or platforms
- Any access to data where the targeted user needs to be operating a rooted mobile device, or extracted from a mobile device backup
- "Self" XSS (we require evidence on how the XSS can be used to attack another Vend by Lightspeed user)
- Stored XSS in the scope of any Reporting types under "Reporting" feature
- XSS issues in Angular
- Issues relating to password and account recovery policies, such as reset link expiration or password complexity
- Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)
- Reports of SSL/TLS-related attacks (e.g. BREACH/BEAST/CRIME), insecure ciphers, and protocols unless you have a working proof of concept, and not just a report from a scanner
- Any third party hosted services (e.g. support.vendhq.com) without proof of concept demonstrating impact on Vend by Lightspeed users
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, specific HTTP methods in use, or descriptive error messages
- Submissions from former Vend by Lightspeed employees within one year of their departure from Vend
- Security bugs in software related to an acquisition for a period of 90 days following any public announcement
- Publicly-released bugs in Internet software within 3 days of their disclosure
- Any services operated by third party integrations without proof of concept demonstrating impact on Vend by Lightspeed users will likely be ineligible for bounty
- Submissions related to Token Request API endpoint in iOS Vend Register
- Submissions related to mobile SSL pinning
- Inconsistent validation between UI and API in form fields without clear security impact
Final note
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards.
#Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Vend by Lightspeed and our customers safe!
