Responsible Disclosure

At Lufa Farms, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Responsible Disclosure Guidelines:

  • E-mail your findings to security@lufa.com.
  • We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you, so long as you comply with the Terms.
  • Do not access or modify data that does not belong to you. If you are able to gain access to or modify data that belongs to Lufa, other customers, or Lufa vendors during the course of your research, you must take the following actions:
  • Immediately stop your activities
    Disclose your findings to Lufa as soon as possible (but no later than 24 hours after discovery). Your findings should include details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC),Wait for further instruction from the Lufa team. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Give Lufa a reasonable time to correct the issue. In certain circumstances, Lufa may request that you not disclose your findings or to delay disclosure until we can ensure that the matter has been adequately addressed. You may not disclose confirmed, unresolved vulnerabilities without approval from Lufa.

Rules of Engagement

  • Research must be done using your Lufa account that you own. You should not intentionally modify online accounts, data or account owned by other Lufa customers (without explicit permission). If during the course of your research, you find a vulnerability that would allow you to bypass an authentication control for another person’s account, you should report the vulnerability to Lufa immediately and take no further action.
  • If you are able to access or modify personal data of other customers or other sensitive data that does not belong to you, immediately contact Lufa. Do not attempt to conduct post-exploitation work with this data.
  • Where you are able to access data that does not belong to you, you will be asked to delete it. You must comply with this request, demonstrate the steps you took to ensure it was deleted, and confirm deletion to Lufa in order to be eligible for a reward.
  • Please don't try to use brute force, denial of service attacks, phishing, or social engineering attacks on Lufa-owned systems or our employees.

What we promise:

  • We will respond to your report within ten business days with our evaluation of the report and an expected resolution date. If you have followed the instructions above, we will not take any legal action against you in regard to the report.
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
  • We will keep you informed of the progress towards resolving the problem.
  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

Rewards

  • We do not offer monetary rewards for reports at this time, but we honor contributors in our Hall of Fame, recognizing your valuable contributions and expertise. Your dedication is celebrated and appreciated in this prestigious recognition system. Thank you for your meaningful impact.

Out of Scope:

  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a users device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or brute force issues
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Software version disclosure / Banner identification issues
  • Tabnabbing
  • Self XSS
  • Username / email enumeration
  • Broken Link on Security Page

Hall of Fame