Program Scope

Includes security and privacy issues in the following products:

  • Luminati website - https://luminati.io
  • Luminati partner SDK (latest version)
Any design or implementation issue that affects the confidentiality or integrity of customer or SDK user data is likely to be in scope for the program.
Common examples include:
  • Cross-Site Scripting
  • Cross-Site Request Forgery - CSRF/ XSRF
  • Authentication or Authorization flaws
  • Remote Code Execution - Servers
  • Remote Code Execution - SDK
  • Access of internal company web pages via installed SDK
Qualifying vulnerabilities
  • Do NOT attempt any DoS attacks, it’s not helpful at all
  • Do NOT use any testing tools that automatically generate large volumes of traffic, this will automatically disqualify you from all bug bounties
  • Do NOT try to hack real customer accounts, keeping the privacy and security of our customers is important, use your own accounts
Out of Scope
IMPORTANT: Not making a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research will automatically disqualify you from all bug bounties.

Rewards

Up to$300
  • Web: Cross-site scripting
  • Web: CSRF Clickjacking
  • Security related misconfiguration on production server or client software
Up to$1000
  • Remote code execution on an SDK user
  • Data extraction from a production server
  • Access control issue which exposes Personally Identifiable Information
  • Access control issue which allows viewing/controlling another customer’s account
Up to$2000
  • Remote code execution on production server
  • Significant authentication bypass on production server containing critical information
Any rewards that are unclaimed after 2 months will be canceled.
The final reward is always chosen at the discretion of the team investigating the issue. We may decide to pay higher rewards for unusually severe security issues, decide to pay lower rewards for vulnerabilities with a very low likelihood to occur, decide that a single report actually consists of several bugs, or that several reports are actually the same issue.

Reporting bugs

Reports should be sent to security@luminati.io and must include the following sections:

Any additional information - network data, usage examples, specs or videos are all welcome

  • Overview: Short technical description
  • Proof Of Concept: Detailed steps on how to reproduce the vulnerability
  • Impact: Explanation of how the attack could be executed in a real world scenario
  • Suggested Fix: how this vulnerability should be addressed

Bounty Payments

Bounty payments are subject to the following restrictions:

  • Minors are welcome to participate in the program. However, the Children’s Online Privacy Protection Act restricts our ability to collect personal information from children under 13, so you will need to claim your bounties through your parent or legal guardian if you are 12 or younger.
  • All payments will be made in U.S. dollars (USD) and will comply with local laws, regulations and ethics rules. You are responsible for the tax consequences of any bounty you receive, as determined by the laws of your country.
  • It is your sole responsibility to comply with any policies your employer may have that would affect your eligibility to participate in this bounty program.