At LootLocker security is a top priority. We take the security of our systems, products, our employees and customers' information seriously, and we value the security community.
We always want to hear from security researches when they've found a potential issue. On this page you can see how to get in contact with us, as well as what is in scope and what is not.
1.1 Do not perform any attack, or DDoS, that contributes to the degradation of user experience, disruption to production systems and destruction of data during security testing.
1.2 Do not initiate a fraudulent financial transaction.
1.3 Do not engage in any activity that can potentially or actually cause harm to LootLocker, our customers, or our employees.
1.4 Do not attempt to gain access to another user's account or data.
1.5 Do not store, share, compromise or destroy LootLocker customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data form your system, and immediately contact LootLocker. This step protects any potentially vulnerable data, and you.
1.6 The reported bug must be original and previously unreported.
1.7 Perform research only within the scope set out below.
1.8 Use the identified communication channels to report vulnerability information to us.
1.9 Do not contact the team asking for updates on a reported bug. If the team deems the reported bug worthy, we will respond. Reports that aren’t eligible won’t receive a response.
1.10 You can only access, disclose and report the issues that you tested on your own account(s)
1.11 Keep information about any vulnerabilities you've discovered confidential between yourself and LootLocker until the security issue is considered resolved by LootLocker.
1.12 LootLocker reserves the right, at its sole discretion, to decide that the report is invalid for any reason (for instance, the reported bug is already known to us, the issue is not considered to be severe, etc.)
2.1. Vulnerabilities that do not cause any state changes (e.g. clickjacking that doesn’t do anything)
2.2. Features reported as vulnerabilities
2.3. Bugs that require unlikely user interaction. For example, a cross-site scripting flaw that requires the victim to manually type in an XSS payload into our app and then double-click an error message may not meet the bar
2.4. Vulnerabilities affecting users of outdated browsers
2.5. Account brute force
2.6. Mixed content warnings
2.7. Error information that cannot be used for direct attack
2.8. Unverified reports from automated tools or scanners
2.9. Text typos
2.10. Password strength reports
3.1. Include as much information as you can in clearly-written English. The report should include, but not be limited to:
3.1.1. All steps or actions required to reproduce the exploit of the vulnerability
3.1.2. Logs and screenshots
3.1.3. Video demonstration of the bug
3.1.4. IPs that were used while testing
3.1.5. Any other supporting evidence
3.2. All of these things should be reported to security@lootlocker.com along with your contact details.
4.1 Following the guidelines guarantees that we:
4.1.1 Do not pursue or support any legal action related to your research.
4.1.2 Work with you to understand and resolve the issue quickly.
4.1.3 Recognize your contribution on your Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
4.2 We reserve the right to change these terms at any time. If we decide to change this document, we will post changes on this page. All changes are effective immediately upon posting.
4.3 These terms will begin when you disclose the bug or issue to us.