LoginRadius Bug Bounty Program

This program is to improve LoginRadius’s cybersecurity posture through formalized community involvement

Responsible Disclosure Policy

The policy:

  • Let us know as soon as possible upon the discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  • The reports MUST include clear steps (Proof of Concept) to reproduce and re-validate the vulnerability. You can attach videos, images in standard formats.
  • Any submission which is rewarded or not, including Duplicates, Out of Scope, and Not Applicable submissions, are not to be disclosed at any level of detail to the public at any time unless guided by LoginRadius following explicit, written permission.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep LoginRadius and our users safe.

Scope Of Bug Bounty Program

The LoginRadius.com websites adminconsole.loginradius.com, api.loginradius.com are all within scope. The accepted categories include injection attacks, authentication or authorization flaws, cross-site scripting, sensitive data exposure, privilege escalation, and other security issues.

Exclusions / Out Of Scope

While researching, we’d like to ask you to refrain from:

  • Denial of service (DOS) attacks
  • Spamming
  • Automated Scan Report
  • Social engineering (including phishing) of LoginRadius staff or contractors
  • Deprecated Browsers and/or Systems
  • Any physical attempts against LoginRadius property or data centers
  • Fingerprinting / banner disclosure on common/public services
  • Weak Captcha / No Captcha / Captcha Bypass
  • Reporting on missing sensitive security headers

Reward

Bug Bounty program rewards are at the sole discretion of LoginRadius’ InfoSec team.

  • The minimum reward for eligible bugs is the equivalent of $50 USD.
  • Rewards over the minimum are at our discretion, but we will pay significantly more for particularly serious issues, i.e. that the identified issue could put a significant number of users at risk of severe damage, monetary or otherwise.
  • Each bug will only be considered for a reward once.

Get Started

Bug Bounty program rewards are at the sole discretion of LoginRadius’ InfoSec team.

  1. Find a security issue: Locate a security bug/issue on the LoginRadius website, the customer portal, or with our API.
  2. Write to us: Create a report, including steps to reproduce the bug/issue, and attach additional evidence if needed.
  3. Receive a reward: The higher the severity of the bug, the higher the value of the reward.

Report A Security Bug

Bug Bounty program rewards are at the sole discretion of LoginRadius’ InfoSec team.

  • Send your bug report to [email protected]
  • Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.
  • Include your name, email address, and Country information.
  • Please allow 5 business days for us to respond before sending another email.
  • You are expected to respect all the LoginRadius Bounty Program Rules (See below). Non-adherence or non-compliance will automatically disqualify you.

Bounty Program Rules

Bug Bounty program rewards are at the sole discretion of LoginRadius’ InfoSec team.

  • Please don’t send information to any other channel such as other emails, chat, support, etc. These requests won’t be entertained and might disqualify you from the program.
  • The LoginRadius InfoSec team will try to remediate the reported in-scope vulnerability at the earliest. However, this may take up to a few months.
  • The LoginRadius InfoSec Team is responsible for making the final decision on bug eligibility and value.