Vulnerability Disclosure Policy
Loadster applauds the efforts of independent security researchers and "white hat" hackers. Anyone who takes time to responsibly disclose security vulnerabilities to us, so that we can fix them before our customers are impacted, has our gratitude.
If you are looking for security vulnerabilities or possible security-related bug in our products and services, we request that you:
- Inform us of any vulnerabilities you discover as soon as possible.
- Allow a reasonable amount of time for us to resolve the issue before disclosing it to the public or a third party.
- Test responsibly to avoid privacy violations, data destruction, and degradation of our service. Do not transmit or link to any malware or engage in "black hat" behavior.
Please kindly send all bug and vulnerability reports to email@example.com.
Loadster is a small company without a formal bug bounty program, and we don't currently have budget allocated to bug bounties.
We have occasionally sent small payments as a token of gratitude to polite and professional researchers who go above and beyond to discover vulnerabilities and disclose them responsibly. Not all bug reports receive bounties. Even when we pay bounties, they might be smaller than you could get from a larger company with an official bug bounty program.
For bug reports where a bounty is warranted, Loadster can only send money to recipients who provide detailed contact information including a genuine full name and physical mailing address. We cannot pay bounties to anonymous researchers or researchers in countries currently subject to embargo by the United States of America.
Possible bounties are evaluated on a case-by-case basis and the amount is entirely at our discretion. Vulnerabilities must be plausibly exploitable to be considered for a bounty.
Certain types of vulnerabilities are always excluded from bounties, including:
- Denial of service (DoS/DDoS)
- Brute force attacks
- Unconfirmed reports from automated vulnerability scanners
- Content and email spoofing
- Social engineering attacks (including phishing)
- Physical attacks against our property and data centers
- Disclosure of version numbers
- Users exposing their account willfully or through negligence
If you have discovered a vulnerability and would like to check if it is eligible for a bounty, please email firstname.lastname@example.org with your contact information and details about the vulnerability.
Unfortunately, due to the large number of security researchers spamming us with boilerplate descriptions of vulnerabilities that they haven't even tested on our site, we will now only consider paying a bounty if the report includes detailed screenshots or video showing the exploit on our site. A generic description of a type of vulnerability is insufficient.