Bug Bounty Policy
Last modified : April 24th, 2022
Lokad offers a bug bounty program. Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Lokad. Issues may receive a lower severity due to the presence of compensating controls and context. The amount shown in the table should be considered the MAXIMUM amounts for each severity level.
Every issue report must indicate the real name and physical address of the security researcher issuing the report. If the security researcher operates on behalf of a company, then the address must, instead, be the one of the headquarters of the company. We will not investigate the validity of reported issues until we have received those elements. Later on, bounty payments - if any - will be required to match those elements.
The “high” and “critical” severities are restricted to the app accessible from go.testing.lokad.com (mirroring go.lokad.com) referred to as our core app and its dependencies which includes (without limitation):
- go.testing.lokad.com (mirroring go.lokad.com)
- files.testing.lokad.com (mirroring files.lokad.com)
- hub.testing.lokad.com (mirroring hub.lokad.com)
- …
We will not accept any claim for severity level beyond Medium if our core app is not impacted.
You may request, by email, a user access to the core app of Lokad. This can prove useful to pock the core app from the inside. Being granted an access to the core app remains at the discretion of Lokad.
| Severity | Amount in EUR |
|---|---|
| Critical | 1000€ - 2000€ |
| High | 250€ - 500€ |
| Medium | 100€ |
| Low | 50€ |
| Business Accepted Risk or Informational | 0€ |
Any vulnerability caused by a lowered security level (ex: using passwords instead of SAML, disabling session IP validation, relying on insecure channels like emails) are “Business Accepted Risk”. All non-compliance to generic but non-exploitable (best) practices are “Business Accepted Risk”.
The severity of the vulnerability takes into account the likelihood of the issue being actually exploited and the reliability of the exploit.
- Critical: The clients of Lokad can impacted by the issue, beyond simply losing the benefits they expect from Lokad. Ex: client data exfiltrated from the core app.
- High: The clients of Lokad can lose all the benefits they expect from Lokad. Ex: corrupting the results displayed by the core app.
- Medium: The clients of Lokad can lose some benefits they expect from Lokad. Ex: locking a user out of the core app.
- Low: A minor, but tangible, inconvenience to the clients of Lokad. Ex: generating a unexpected email notification for a targeted user.