Leda Bug Bounty Program
Update:
We've recently implemented MFA. Interested in people focusing on that. Its configured in your profile settings.
Welcome
We're excited to invite security researchers from all backgrounds to help us make Leda a more secure platform for everyone. Your expertise helps us identify vulnerabilities before they can be exploited, and we value your contributions to our security efforts.
Program Scope
We appreciate reports that can help us improve our security posture. Please review the following details carefully before submitting your findings.
In-Scope Assets
- Main Web Application: https://getleda.com
Out-of-Scope Assets
- Any services hosted by third parties, unless they impact the security of our primary assets.
- Physical offices and infrastructure.
- Employee social media accounts.
Vulnerabilities We're Interested In
- Cross-Site Scripting (XSS)
- SQL Injection
- Authentication bypass
- Privilege escalation
- Remote Code Execution (RCE)
- Security misconfigurations
- Server-side request forgery (SSRF)
- Misconfigured access controls
Vulnerabilities Out-of-Scope
- Issues solely affecting outdated browsers
- Missing HTTP security headers (unless they lead to a proven vulnerability)
- Vulnerabilities requiring physical access
- Self-XSS requiring significant user interaction
- Reports from automated tools without clear evidence of impact
- Theoretical vulnerabilities without proof of exploitation
Rewards
We offer bounties based on the severity and impact of the vulnerability:
- Critical - E.g. RCE, database access
- High - E.g., privilege escalation, significant data exposure
- Medium - E.g. XSS, minor API issues
- Low - E.g. information disclosure without direct impact
Note: Reports without clear security implications or that require unrealistic attack scenarios will not be rewarded.
Submission Guidelines
- Provide clear, step-by-step instructions to reproduce the vulnerability
- Include screenshots, videos, or code snippets where possible
- Test only on your own accounts; do not access others' data
- Describe the potential impact and attack scenario
- Be respectful of our users' privacy and our systems' stability
Our Commitment
- We will acknowledge your report within 3 business days
- A resolution or update will be provided within 3 business days
- We will keep you informed about the status of your report
- We will recognize your contribution if you wish to be acknowledged
Legal Safe Harbor
This program follows a "safe harbor" approach. As long as your research is conducted responsibly and within the program's scope, we consider it authorized. If legal questions arise, we'll work with you to understand and resolve them.
