LeadDelta Vulnerability Disclosure Program
This vulnerability disclosure program is limited to security vulnerabilities in LeadDelta web applications. Submissions of vulnerabilities will not be rewarded monetarily.
We ask all security researchers to submit vulnerability reports to our Product Security team via email at security@leaddelta.com. Researchers who submit a vulnerability report will be given full credit on our page “Hall of Fame” after the submission has been accepted and confirmed by our product security team.
All vulnerability reports must follow these guidelines:
- Should be written in English.
- Provide a detailed description of the discovered vulnerability.
- Provide steps to reproduce.
- Provide screenshots (where applicable).
- Explain the impact and any potential remediation.
- Reported vulnerabilities must not be the result of the usage of automated scanners or automated tools.
- Reported vulnerabilities must not result from non-technical attacks such as social engineering or phishing.
- Reported vulnerabilities must not be publicly disclosed before we inform you that a bug is fixed.
Our commitment to researchers:
- We will respond to your email within a week.
- We will keep you updated about the progress of the bug fix.
- We reserve the right to ask the researcher to provide further information about reported vulnerabilities.
- We assure you that you will not be liable if you follow our guidelines and act in good faith.
- We promise to give full credit to the researcher after the vulnerability has been validated and fixed.
Eligible vulnerabilities
We encourage the researchers to use the OWASP Top 10 vulnerabilities list – https://owasp.org/www-project-top-ten/ with a special focus on the following:
- Broken Access Control – https://owasp.org/Top10/A01_2021-Broken_Access_Control/
- Injection (SQL and NoSQL Injection, Cross-Site Scripting – XSS) – https://owasp.org/Top10/A03_2021-Injection/
- Identification and Authentication Failures – https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
- Software and Data Integrity Failures – https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/
- Server-Side Request Forgery – https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
Excluded vulnerabilities
The following examples are excluded from our vulnerabilities disclosure program:
- Non-exploitable Issues – Informational or low-risk issues that do not have a clear security impact.
- Best Practices and Recommendations – Suggestions for improving security that do not identify specific vulnerabilities or recommendations for stronger encryption algorithms or coding practices.
- Third-Party Services and Libraries – Vulnerabilities in third-party services or libraries that the organization uses but does not control.
- Outdated Software Versions – Vulnerabilities in older software versions that are no longer supported.
- Non-Production Systems – Vulnerabilities in demonstration or trial versions of the application.
- Denial of Service (DoS) Attacks – Issues that require overwhelming the system with traffic or requests.
- Social Engineering – Phishing, vishing, or other social engineering attacks that target individuals rather than exploiting technical vulnerabilities.
- Physical Security – Vulnerabilities that require physical access to the organization’s premises or devices.
- Content Spoofing refers to issues related to text or image changes that do not have a security impact, such as minor UI/UX inconsistencies or typos.
- Spam and Abuse – Reports related to spam, abuse, or misuse of the application that do not result in a security vulnerability.
- Privacy Concerns – General privacy concerns that do not result in a specific security vulnerability.
Incentives and Recognition
- We promise to give full credit to the researcher after a vulnerability has been validated and fixed.
- We will not provide monetary compensation, but we will award you a year of free PRO license.
- We will feature you on our website, on this page: Hall of Fame.