Bountytalk - Forums Advertising & Bounty Hub
Other Bounties => Bug bounty programs => Topic started by: Angelina on May 04, 2023, 06:11:15 pm
-
Submit bug report
https://www.lyst.com·@makinglyst
We award bounties based on 4 severity levels. Examples below are only suggestions as to the kind of bugs we'd expect to see in each category. Depending on the impact you can demonstrate from a particular bug we may pay higher than suggested.
P1: Critical – $5000+
Remote code execution
Privilege escalation
P2: High – $1000+
Stored XSS without user interaction
CSRF
SQL injection
Account takeover with user interaction
Domain or subdomain takeover of in-use or primary domains
P3: Medium – $300+
XSS with user interaction
Edge case performance issues which could be used for DoS
Domain or subdomain takeover of unused or utility domains
P4: Low – $100+
Mixed content warnings
Debugging information
Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Examples of vulnerabilities Lyst are particularly interested in hearing about
Authentication flaws
Cross-site scripting (XSS)
SQL Injection
Cross-site request forgery (CSRF/XSRF)
Mixed content scripts (scripts loaded over HTTP on an HTTPS page, blockable errors only)
Server side code execution
Privilege Escalation
Authorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User)
Clickjacking on authenticated pages with sensitive state changes
Exclusions
While researching, we'd like to ask you to refrain from:
Submitting reports on help.lyst.com - we do not host this and issues here should be reported directly to @Zendesk instead.
Denial of service
Spamming
Social engineering (including phishing) of Lyst staff or contractors
Any physical attempts against Lyst property or data centers
Username enumeration
Exposure of social features such as users saved items
Missing "best practices" without a clear demonstration of impact in our use case
CSRF on login/logout/other non-authenticated content
Missing headers
Secure and HTTPonly flags on cookies
crossdomain.xml misconfiguration without an exploit scenario
Thank you for helping keep Lyst and our users safe!