LZF bounty poster

2.6934

Bounties awarded

20

Bugs found

18

Awarded bounty hunters

How it works
Overview
LZF acknowledges the importance of security researchers in maintaining the safety and the privacy of our community. LZF encourage the responsible disclosure of security issues and vulnerabilities through our Bug Bounty Program as laid forth on this page.
 
Reward Program

A financial reward will be given to any person or entity that reports a previously undiscovered, sufficiently significant, security issue or vulnerability. The amount of any reward is not limited and will be determined by LZF at LZF's discretion based on the significance of the issue or vulnerability found. The bounty poster on this page is displayed solely for aesthetic purposes; bounty rewards may be higher or lower than 2.0BTC.

We will provide attribution on our website for any person or entity who collects a bounty.

LZF reserves the right to decide if the minimum requirement for the collection of the bounty is met and whether or not the reported issue or vulnerability has been previously reported.

Any security issue or vulnerability which has the potential for either financial loss or the breach of data will be considered for the awarding of a bounty, including, but not limited to:

  • Cross-site-scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Authentication bypass or privilege escalation
  • Click jacking
  • Remote code execution
  • Obtaining user information

Issues or vulnerabilities that would in general not meet the threshold of significance for the awarding of a bounty include, but are not limited to:

  • Vulnerabilities on sites hosted by third parties (LZF blog, LZF support, LZF analytics, etc) unless they lead to a vulnerability on our main website application
  • Denial of service attacks
  • Spamming
  • Vulnerabilities in third party applications which make use of LZF API's

Responsible disclosure of security issues and vulnerabilities includes, but is not limited to:

  • Not purposely leaking or destroying any LZF or any LZF user data
  • Giving LZF a reasonable amount of time to correct the noted security issue or vulnerability before making it known elsewhere
  • Not defrauding Laissez Faire Financial, LLC ("LZF") or any LZF users in the process of discovery or notification of the security issue or vulnerability
 
Reporting Proceedure

Please encrypt all sensitive information with this PGP public key.

In order to report a security issue or vulnerability please send us an e-mail at [email protected].

Awarded bounty hunters
  • Damian Rodolfo Pellejero (0.0078 BTC) Oct 2, 2018 / reported a minor openssh vulnerability
  • Sundar Lal Baror (0.0066 BTC) Aug 3, 2018 / reported an XSS vulnerability
  • Ayoub SAFA (0.035 BTC) May 13, 2017 / reported an XSS vulnerability
  • Joshua Ashmore (0.244 BTC) Mar 12, 2016 / reported a bug which caused some deposits to not credit to some accounts
  • Ashish Pathak (0.025 BTC) Sep 26, 2015 / reported a minor best security practice relating to self-XSS prevention
  • Asim Shahzad (0.02 BTC) Jul 06, 2015 / reported a minor best security practice
  • Mayank Bhatodra (0.02 BTC) Mar 28, 2015 / reported a minor best security practice
  • Akhil Reni (0.05 BTC) Mar 28, 2015 / reported a minor spoof link vulnerability
  • Sarath Kumar (0.35 BTC) Mar 28, 2015 / reported an exceptionally unique and efficiently executable DoS attack vulnerability
  • Kalpesh Makwana (0.025 BTC) Mar 27, 2015 / reported a minor best security practice relating browser content security policies
  • Kalpesh Makwana (0.1 BTC) Mar 27, 2015 / reported a minor best security practice relating to user settings
  • Jayaram Yalla & Ramana Yalla (0.1 BTC) Mar 26, 2015 / reported a highly unlikely CSRF vulnerability requiring a "trusted" attacker
  • Shahmeer Baloch (0.05 BTC) Mar 26, 2015 / reported a very minor URL token leak to Google Analytics
  • Koutrouss Naddara (0.09 BTC) Feb 20, 2015 / reported a minor best security practice relating to DNS configuration
  • Ayoub Fathi (0.15 BTC) Feb 19, 2015 / reported a minor XSS vulnerability
  • Hamid Ashraf (0.1 BTC) Feb 17, 2015 / reported a minor and highly unlikely tabnab vulnerability
  • Salman Khan (0.05 BTC) Feb 16, 2015 / reported a minor best security practice relating to TLS
  • Salman Khan (0.1 BTC) Feb 16, 2015 / reported a minor best security practice relating to sessions
  • Salman Khan (0.1 BTC) Feb 16, 2015 / reported a minor SSS vulnerability due to a DNS misconfiguration
  • Sahil Saif (1.07 BTC) Feb 12, 2015 / reported a CSRF vulnerability