Submit bug report: https://lifeomic.com/@lifeomic
Program Rules
Please provide detailed reports with reproducible steps. The report must provide a clear proof of concept specific to LifeOmic that demonstrates an impactful security issue.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
If you are able to obtain access to production data, including PHI, please do NOT pivot internally, and do NOT exfiltrate any sensitive data. If you find a bug of this nature, please report it first and wait for instructions on how to proceed.
Severity Ratings
We decide the severity rating based on true impact to the business and end users. The more damage you could do or data you can access, the higher the reward will be. Unlike traditional programs and because we are mostly serverless, an RCE may not actually be a critical issue (unless you can get to sensitive data, pivot, etc), however a serious IDOR or business logic flaw could be. Show us your best impact.
Found the same vulnerability in multiple areas? If our fix works to solve the issue across all occurrences of the bug, we will pay out for a single occurrence of the bug. Example: An outdated javascript library allows for a XSS. The library is used on both subdomain1.dev.lifeomic.com and subdomain2.dev.lifeomic.com . Our fix of patching the library would fix the issue across both subdomains so we will pay the hacker for the first report and mark the second as a duplicate of the first.
Known or Accepted Issues
We have several individual issues or issue classifications that will be marked as duplicates or N/A immediately upon submission. These include:
Forgot password (and other) user enumeration - we are working on a long term fix
Session / token expiration- Tokens (except refresh tokens) should only last 60 minutes. Our tokens currently do not expire if the user logs out or changes their password. Tokens are not invalidated until they reach their minted expiration time. We are not accepting reports for these types of issues as we have identified and are applying a fix across our products.
Public API keys / tokens that have been “leaked”. If the API key is meant to be public according to vendor documentation and/or the token cannot be used to perform unintended actions by the end user, the report will be marked N/A.
Purposefully public data in the mobile app as per privacy settings including first and last name, profile picture, profile description, cumulative LIFE points and surrounding metrics
Retaining file metadata in uploads that may expose an account's sensitive information, such as geolocation.
Out of Scope Vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
Any vulnerability report without an impactful PoC- including but not limited to CSRF without impactful action (especially when unauthenticated), clickjacking on pages without sensitive actions, CORS misconfigs, use of libraries with CVEs without an exploit, self-XSS, injection without exploitation, etc
Attacks requiring MITM or physical access to a user's device.
DoS or DDoS vulnerabilities (such as brute force or rate-limiting based issues)
Issues related to third-party components, including WordPress sites, their themes, or their API like XMLRPC.php
Response Targets
We understand that no one likes to wait. LifeOmic will make a best effort to meet the following response targets for hackers participating in our program:
Time to first response (from report submit) - 5 U.S. business days
Time to triage (from report submit) - 10 U.S. business days
We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
In order to simplify the process and decrease our overall time to resolution on reports, we do not offer report disclosure.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for your work in keeping LifeOmic safe for everyone. We’re excited to see what you have in store for us this year.
