At Lamatic, we believe in collaborating with the global security researcher community to enhance the security of our products. By welcoming researchers to identify vulnerabilities in our systems, we aim to make our products more secure while fostering a cooperative security ecosystem. To this end, we reward researchers for their valuable contributions.
Scope of the Program
In Scope
The following areas and vulnerabilities are included in the Bug Bounty Program:
-
Products
- Web applications
- APIs
- Cloud services
-
Vulnerability Categories
- Cross-Site Scripting (XSS)
- SQL Injection
- Authentication flaws
- Data leakage
- Privilege escalation
Out of Scope
The following are not covered by the program:
- Social engineering attacks
- Physical security vulnerabilities
- Denial of Service (DoS) attacks
- Third-party integrations not owned or controlled by Lamatic
Submission Guidelines
Security researchers are required to provide detailed information about identified vulnerabilities. Submissions should include:
- A clear description of the vulnerability
- Step-by-step instructions to reproduce the issue
- An impact analysis outlining the potential risk
- Supporting evidence such as screenshots, videos, or scripts
- Recommendations for remediation
Submission Process
- Email your findings to [email protected]
- Use the subject line:
[Bug Bounty] <Bug Title>
Response Times
We strive to provide timely responses to all submissions:
- Initial response: 24 hours
- Severity assessment: 48 hours
- Status updates: Every 5 business days
- Payment processing: Within 15 days of validation
Review Process
| Step | Description |
|---|---|
| 1. Acknowledgment | Confirm receipt of the report within 24-48 hours. Assign a unique Reference ID to track the submission. |
| 2. Initial Assessment | - Validate the authenticity of the issue. - Perform a Duplicate Check to ensure the bug hasn’t been previously reported. - Share an NDA if necessary. |
| 3. Severity Analysis | Assess the severity using a standard rating system such as CVSS: - Critical: Immediate, widespread impact (e.g., RCE, data breaches). - High: Significant functionality or security risks. - Medium: Moderate impact. - Low: Minor risks. |
| 4. Assignment & Prioritization | Assign the validated issue to the appropriate team and prioritize based on severity. |
| 5. Development & Fixing | Address the issue based on priority and ensure timely resolution. |
| 6. Researcher Verification | Notify the researcher upon resolving the issue. Provide testing environments or evidence (e.g., logs, screenshots) for verification. |
| 7. Reward & Closure | Issue the reward based on the severity, impact, and uniqueness of the vulnerability. |
| 8. Post-Resolution Analysis | Conduct a root cause analysis to identify gaps in code review, testing, or system architecture. |
Rules of Engagement
To ensure ethical conduct, researchers are required to adhere to the following guidelines:
| Do’s | Don’ts |
|---|---|
| Test only within the defined scope. | Do not exploit vulnerabilities beyond proof-of-concept. |
| Avoid impacting production systems. | Refrain from using automated tools that degrade performance. |
| Report vulnerabilities immediately upon discovery. | Do not access or modify data without explicit consent. |
Legal Protections
Safe Harbor Clause
Lamatic provides safe harbor for researchers acting in good faith, ensuring protection from legal consequences as long as they:
- Operate within the defined scope and guidelines
- Avoid compromising user data
- Do not disrupt services
- Responsibly report vulnerabilities through the program
Rewards
| Severity Level | Example Vulnerabilities | Reward Range |
|---|---|---|
| Critical | Remote code execution, data breaches | $500–$1000+ |
| High | Privilege escalation, bypassing authentication | $300–$500 |
| Medium | Sensitive data exposure, API misuse | $100–$200 |
| Low | Minor misconfigurations, non-sensitive info leaks | Goodies and swag |
Note: Rewards are determined based on the severity, reproducibility, and uniqueness of the submission.
Thank you for contributing to the security of Lamatic's products!