Legal »

Vulnerability Disclosure Policy

Loadster applauds the efforts of independent security researchers and "white hat" hackers. Anyone who takes time to responsibly disclose security vulnerabilities to us, so that we can fix them before our customers are impacted, has our gratitude.

If you have discovered a security vulnerability or possible security-related bug in our products and services, we request that you:

  • Let us know about it as soon as possible!
  • Allow a reasonable amount of time for us to resolve the issue before disclosing it to the public or a third party.
  • Test responsibly. Make a good faith effort to avoid privacy violations, data destruction, and degradation of our service. Do not transmit or link to any malware or engage in "black hat" behavior.

Please kindly send all bug and vulnerability reports to help@loadster.app.

Bug Bounties

Loadster does not have a formal bug bounty program, but we have on occasion sent payment as a token of gratitude to researchers who went above and beyond to discover vulnerabilities and disclose them responsibly. Not all bug reports receive bounties.

Due to accounting and regulatory requirements, Loadster can only pay bounties to recipients who provide detailed contact information, including a genuine full name and address. We cannot pay bounties to anonymous researchers or researchers in countries currently subject to embargo by the United States of America.

Possible bounties are evaluated on a case-by-case basis and the bounty amount is at our discretion. Certain types of vulnerabilities are always excluded from bounties, including:

  • Spamming
  • Denial of service (DoS/DDoS)
  • Brute force attacks
  • Unconfirmed reports from automated vulnerability scanners
  • Content and email spoofing
  • Social engineering (including phishing)
  • Physical attacks against our property and data centers
  • Disclosure of version numbers

If you have discovered a vulnerability and would like to check if it is eligible for a bounty, please email help@loadster.app with your contact information and details about the vulnerability.