LZF acknowledges the importance of security researchers in maintaining the safety and the privacy of our community. LZF encourage the responsible disclosure of security issues and vulnerabilities through our Bug Bounty Program as laid forth on this page.
A financial reward will be given to any person or entity that reports a previously undiscovered, sufficiently significant, security issue or vulnerability. The amount of any reward is not limited and will be determined by LZF at LZF's discretion based on the significance of the issue or vulnerability found. The bounty poster on this page is displayed solely for aesthetic purposes; bounty rewards may be higher or lower than 2.0BTC.
We will provide attribution on our website for any person or entity who collects a bounty.
LZF reserves the right to decide if the minimum requirement for the collection of the bounty is met and whether or not the reported issue or vulnerability has been previously reported.
Any security issue or vulnerability which has the potential for either financial loss or the breach of data will be considered for the awarding of a bounty, including, but not limited to:
- Cross-site-scripting (XSS)
- Cross-site request forgery (CSRF)
- Authentication bypass or privilege escalation
- Click jacking
- Remote code execution
- Obtaining user information
Issues or vulnerabilities that would in general not meet the threshold of significance for the awarding of a bounty include, but are not limited to:
- Vulnerabilities on sites hosted by third parties (LZF blog, LZF support, LZF analytics, etc) unless they lead to a vulnerability on our main website application
- Denial of service attacks
- Vulnerabilities in third party applications which make use of LZF API's
Responsible disclosure of security issues and vulnerabilities includes, but is not limited to:
- Not purposely leaking or destroying any LZF or any LZF user data
- Giving LZF a reasonable amount of time to correct the noted security issue or vulnerability before making it known elsewhere
- Not defrauding Laissez Faire Financial, LLC ("LZF") or any LZF users in the process of discovery or notification of the security issue or vulnerability
Please encrypt all sensitive information with this PGP public key.
In order to report a security issue or vulnerability please send us an e-mail at [email protected].