The private testing has started!

Pages Security

Please, mind this article is being drafted or rewritten and may contain imperfections. It has not been yet reviewed for final publication.

A bug bounty program is a deal offered by many websites, organisations and software developers. Individuals can receive recognition and compensation for reporting bugs, especially those about security exploits and vulnerabilities.

Liverado Bug Bounty program

Project description

Liverado.com is owned and operated by Liverado Pte. Ltd. (the "Company", "We", "Liverado"). The Company provides secure email with the latest technology to protect users' mailboxes from viruses, malware, spam, and phishing attacks. Users' emails are encrypted with end-to-end encryption. All users' data is stored in Switzerland with zero-knowledge encryption (Even Liverado cannot read your messages).

Vulnerability Disclosure Policy

The Company regards the security of its systems as a top priority. This Policy is intended to provide guidance for external/independent security analysts. So they can responsibly report any vulnerabilities in Liverado's systems. We will investigate legitimate reports and make every effort to resolve any vulnerabilities quickly.

To encourage responsible reporting, we will not take legal action against you or require law enforcement to investigate you, provided you adhere to the following guidelines:

  • Make good faith efforts to avoid invasion of privacy.

  • Avoid destructing our data.

  • Avoid interrupting or degrading our services.

If you comply with this Policy, we will not take any legal action against you for reporting.

Languages

Please submit your report in the following languages:

  • English

  • Chinese

  • Spanish

Scope

This Policy is limited to security breaches in the Liverado web application; under no circumstances should you attempt phishing attacks on our users. Out of concern for our service available to all users, please do not attempt DoS attacks, send spam, or do other similarly questionable things. Vulnerability testing tools that automatically generate large amounts of traffic are strictly prohibited. The scope of the Policy only applies on the following site:

https://liverado.com

Reward

We may receive reports but reward a legitimate report only. 

For a successful report, if you agree, we will display your name, social media link, or website link on our contributors' page as a reward. 

You may be eligible for an award if:

  • You are the first person to submit a website bug.
  • Liverado determined that the vulnerability is a valid security issue.

We will assess the severity, impact, and quality of each report. And Liverado has the right to make the final decision on whether to reward you.

Performance expectations

We will respond to your report with our assessment. Please refer to the timetable to know our estimated response time.

  • First response time: Less than 2 business days.
  • Triage time: Less than 5 business days.
  • Resolution time: Less than 30 business days.

Exclusion

The following vulnerabilities are not eligible for this Policy: 

  • Network-level denial of service attack.

  • Denial of service through applications that lock user accounts.

  • Descriptive error message or title (e.g. stack trace, banner grab).

  • Publicly known public files or directories (such as robots.txt).

  • Outdated software/library versions.

  • OPTIONS / TRACE HTTP method enabled.

  • CSRF on logout.

  • CSRF on forms available to anonymous users.

  • Cookies set by HTTP Only or Secure that are missing non-sensitive data.

  • Self-XSS and problems that can only be exploited through Self-XSS.

  • Reports generated by automated scanning utilities without additional details or POCs demonstrating specific exploits.

  • Attacks that require physical access to user devices.

  • The attack depends on the social engineering of Smartling employees or suppliers.

  • Username enumeration based on login or forgotten password page.

  • Execution policies for brute force, rate limiting, or account lockout.

  • SSL/TLS Best Practices.

  • SSL Attacks such as BEAST, BREACH, and renegotiation attacks.

  • Clickjacking, no other details show a specific vulnerability.

  • Mail configuration issues, including SPF, DKIM, and DMARC settings.

  • Use known vulnerable libraries without describing exploits specific to our implementation.

  • Password and account recovery policy.

  • Autocomplete exists in form fields.

  • Publicly accessible login panel.

  • Email address verification is missing during account registration or account invitation.

  • Missing email address verification password recovery.

  • Session control during email/password changes.

Proof of concept

Minimize confusion. For example, when testing for command injection vulnerabilities, it is sufficient to display the output of the id or hostname commands. No need to cat /etc/passwd. When trying to demonstrate root privileges in a vulnerable process with the following primitives, use the following command:

  • Read: cat /proc/1/maps

  • Write: touch /root/«your H1 username>

  • Execute: id

Proof of concept

Question type When to report a problem
XSS For XSS, a simple alert (document.domain) should be enough.
RCE Please only execute harmless code. Simply printing something or evaluating an expression should be enough to prove the problem.
SQLi Immidertely report any SQL errors that indicate SQL injection, or you are able to disclose the version number of the SOL server.
Unvalidated redirect Set the redirect endpoint to http://example.com if possible.
Information disclosure If your report contains sensitive data, use our PG key @ to encrypt it.

How to submit your report

Please contact us at security@liverado.com for potential security issues. 

Please include the following information in the email:

  • Organization and contact name.

  • Affected products or solutions and versions.

  • Description of potential vulnerability.

  • Supporting technical details (e.g. system configuration, traces, description of exploit/attack code, sample packet captures, proof of concept, steps to reproduce the issue).

  • Information about vulnerabilities.

  • Disclosure plans, if any.

  • If you want public recognition (display your social media on our contributors' page as a reward.

  • We will investigate legitimate reports and make an effort to correct any vulnerabilities quickly. A well-written report will allow us to classify your submissions faster and more accurately.

  • Provides details of the vulnerability, including information needed to reproduce and validate the vulnerability and a proof of concept (POC).

  • A clear description of the problem, including how you think it affects users, smartling, or others.

  • Specific replication steps, including the environment used for testing (browser, device, tools, configuration) and any accounts used during testing.

  • Your suggestion to solve the problem.

Confidentiality

Any information you receive or collect about Liverado through the bug bounty program must be kept confidential and used only for the bug bounty program. You may not use, disclose or distribute any such confidential information, including, but not limited to, any information you submit and that you obtain while researching the Liverado website without Liverado's prior written consent.

Ready to join Liverado? Start your free 14-day trial today.