Contact: security@lingo.dev Canonical: https://lingo.dev/.well-known/security.txt At lingo.dev, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. We highly value and typically work with extremely professional security researchers who focus on high-impact findings. However, report farming is strictly unacceptable. We define report farming as submitting low-quality, low-impact, or out-of-scope reports in hopes of receiving rewards. This behavior will result in immediate blocking from our security channels. We may or may not share a blocklist with other organizations to prevent abuse across multiple platforms. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems. In-scope vulnerabilities include (but are not limited to): - Remote code execution - Authentication bypasses - Authorization flaws leading to unauthorized access to sensitive data - SQL injection - Server-side request forgery with significant impact - Subdomain takeovers with clear security implications Here is a comprehensive list of out of scope vulnerabilities: - Clickjacking on pages with no sensitive actions - Any form of CSRF (authenticated, unauthenticated, logout, login) - Attacks requiring MITM or physical access to a user's device - Attacks requiring social engineering - Any activity that could lead to disruption of service (DoS/DDoS) - Content spoofing and text injection issues without showing an attack vector - Email spoofing or missing email security configurations (SPF/DKIM/DMARC) - Missing security headers (DNSSEC, CAA, CSP) - Lack of Secure or HTTP-only flags on any cookies - Deadlinks or broken link hijacking - User enumeration - Vulnerabilities affecting only unsupported browsers or operating systems - Tabnabbing - Self-exploitation (self-XSS, self-DoS) - Permissive CORS configurations without demonstrated security impact - Software version disclosure/banner identification - Descriptive error messages or headers (stack traces, application errors) - CSV injection - Open redirects (regardless of security impact) - All SSL/TLS configuration issues - Lack of SSL pinning or jailbreak detection - Cookie handling best practices - All rate limiting issues - Theoretical vulnerabilities without clear and immediate exploitation path - Vulnerabilities that require knowledge of non-public identifiers (e.g., internal project IDs, user IDs, or other private data not publicly accessible) Testing guidelines: - No automated scanners allowed under any circumstances - No testing that generates more than 10 requests per minute - Do not take advantage of the vulnerability or problem you have discovered - No accessing, modifying, or retaining any data encountered during testing - Testing must be conducted only during business hours (9am-5pm ET, Monday-Friday) Reporting guidelines: - All reports must include clear reproduction steps with screenshots - Reports without proof of concept will be rejected immediately - All reports must include a detailed technical impact assessment - Reports must be written in English only - File a report via email to security@lingo.dev Email Abuse Notice: - Our security email has been frequently abused with low-quality, out-of-scope reports - Submissions that ignore this policy will be automatically filtered - Repeat offenders will be permanently blocked from our security communication channels - Sending reports for issues clearly listed as out-of-scope constitutes abuse of our security process Rewards: - We do not run a traditional bug bounty program with competitive payouts - Rewards are entirely discretionary and rarely issued - Only critical vulnerabilities with severe impact will be considered - Maximum reward: $50 gift card and/or acknowledgment - Most reports, even if valid, will not qualify for rewards - All reward decisions are final and non-negotiable Disclosure guidelines: - Do not share findings with any third party - No public write-ups after disclosure without explicit written permission - In order to protect our customers, do not reveal the problem to others until we have researched and addressed it What we promise: - We will respond to your report within 10 business days - Researchers who submit valid reports may be acknowledged through our channels (website, Twitter, etc.) if they prefer - If you have followed the instructions above, we will not take any legal action against you - We reserve the right to close any report without explanation Please note that only emergencies are considered in scope. The team will decide which reports to act upon based on common sense and the severity of the issue. If you adhere to these guidelines and do not abuse this policy, no legal action will be taken against you.