Vulnerability Reward Program

LithicBlue maintains a Vulnerability Reward Program for its web properties, and welcomes external contributions that help us keep our users safe and their data secure. We appreciate the efforts of the information security community and their commitment to responsible disclosure of vulnerabilities.

Responsibly Reporting Vulnerabilities

Vulnerabilities may be responsibly disclosed via email to security@lithicblue.com. They will be evaluated by the security team, with a response SLA of two working days for acknowledgement of submission, and five working days for assessment of the issue.

Report Now

Qualification Criteria

Vulnerabilities must meet the following criteria to be in scope for a reward:

Exist within a web service owned by LithicBlue that handles sensitive user data, e.g. properties hosted on https://*.lithicblue.com.
Substantially affect the confidentiality or integrity of user data, or;
Allow privilege escalation, e.g. permit an unaffiliated attacker to gain access to information or resources in an arbitrary organization.

Reward Eligibility

Our reward amounts are intended to be consistent with other equivalent programs. The final amount awarded depends on many factors, including:

Quality of Report

Inclusion of a clear PoC (ideally with video or screenshots), demonstration of impact/severity, provision of any necessary details to reproduce.

Severity of Issue

The scale of the compromise to confidentiality or integrity of user data in the context of LithicBlue's business goals and customer commitments.

Impact of Issue

The scale of the affected users or aspects of LithicBlue's business affected by the issue.

Higher bounties will be paid for particularly severe vulnerabilities, and lower bounties will be paid for vulnerabilities with limited scope or presented with a subpar report. We may also decide that a single report constitutes multiple issues, or multiple reports are sufficiently similar that they warrant only a single reward.

The first comprehensive, responsibly disclosed report for any particular issue will be eligible for a paid reward, and all subsequent reports for the same issue will not be eligible. The email timestamp at security@lithicblue.com will be the sole discriminator for determining the first received report. We may decide at our discretion to reward a later report if the first report is of insufficient quality to enable effective remediation. Reports which break the guidelines of responsible reporting will not be eligible for any reward.

Excluded Issues

The following types of issues are specifically excluded from receiving rewards:

×Access to or disclosure of known public resources (e.g. robots.txt or .well-known) or non-confidential information.

×Denial of service attacks, including but not limited to email flooding, rate limiting, password or login brute force, etc.

×Any vulnerabilities found using automated scanners.

×Any vulnerabilities related to clickjacking or exploitable only through clickjacking.

×Attacks that require local physical access to a user account.

×Content spoofing.

×Missing HTTP security headers.

×Network-based attacks outside our control, e.g. HTTP/DNS cache poisoning.

×Missing or incorrect email DNS records (SPF, DKIM, DMARC).

Threat Model

Our threat model focuses on protecting the confidentiality and integrity of user and organisation data. This includes both external threats (third party data exfiltration) and internal threats (privilege escalation within organisations).

Cross-organisation access: Vulnerabilities that permit an unaffiliated attacker to access information or resources belonging to an arbitrary organisation are considered high severity.

Within-organisation escalation: Vulnerabilities that permit a user within an organisation to gain elevated privileges beyond their assigned role are also in scope. This includes, but is not limited to, member-to-admin escalation, access to restricted resources, or circumvention of permission controls.

Reward amounts will reflect the severity and impact of the vulnerability in context, with cross-organisation vulnerabilities typically commanding higher rewards than within-organisation escalation issues.

Investigating and Reporting Issues

Never attempt to access anyone else's data, and do not engage in any activity that would affect any user or LithicBlue. Please research vulnerabilities in good faith; we will treat all such submissions in the same good faith. With reasonable advance notice, we aim to respond and fix bugs within a reasonable timeframe. Reward amounts will generally be confirmed and paid following the remediation of an issue in our production environments.

If you come across user data during the course of discovering vulnerabilities, please report it to us immediately, and do not store, copy, transfer, disclose, or otherwise retain this information.

Non-security issues, or queries about LithicBlue functionality, accounts, subscriptions, etc. should be directed to our customer support team via support@lithicblue.com.

Legal

LithicBlue is not responsible for any tax or other legal implications stemming from bounties based on citizenship and country of residency. International sanctions or other local laws may also affect the eligibility of any individual to receive a reward under this program.

Any decision to pay or not pay a reward is entirely at LithicBlue's discretion.

To contact our security team, please email security@lithicblue.com.