Logically's Bug Bounty Program

We at Logically believe in working with security professionals to help protect our systems and customers’ personal information from malicious activity, due to vulnerabilities against our networks, web and mobile applications. This helps us in making our platform secure and setting security policies across our organization. We treat the security and safety of our customers’ personal information with the utmost importance.

 

 

Rules

  • Do not intentionally harm the experience or usefulness of the service to others, destruction of data, including degradation of services & denial of service attacks.
  • Do not attempt to view, modify, or damage data belonging to others.
  • Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.

 

 

Exclusions

  • Denial of Service attacks
  • Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing)
  • Disclosure of known public files or directories
  • Use of outdated software / library versions
  • Social engineering (including phishing) of any Logically staff or contractors•
  • Accessing private information of Logically customers

Logically will keep reviewing the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance and it will be subject to change.

 

 

Bounty eligibility

  • Reporter must agree and adhere to the Program Rules and Legal terms as stated in this policy
  • Reporter must be the first to report the issue in order to be eligible for bounty
  • Reporter must be available to supply additional information, as needed by our team, to reproduce and triage the issue

 

 

Reporting process

  1. When reporting vulnerabilities, you must send an email to security@logically.ai
  2. In describing the vulnerability, it is important to include all necessary details required for reproducing the vulnerability as well as the tools required to reproduce the vulnerability. Please note that the vulnerability should be treated in accordance with the terms of the Program
  3. Each submission will typically receive a reply within one (2) business day acknowledging that the report was successfully received.
  4. Duplicate submissions (where the vulnerability has already been reported to Logically) are not eligible for rewards. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been remediated.

Please recognise that amount of time required to address a reported issue can vary from a few hours to couple of weeks. You will receive notification of the final outcome of our remediation efforts once the once completed and we cannot provide updates on remediation efforts that are in progress.

 

 

Awarding process

Only vulnerabilities will be considered for an award and those vulnerabilities that have been resolved will receive an award.

Logically will determine in its own discretion whether a reward should be granted and the amount of the reward.

Depending on their impact, not all reported issues qualify fora monetary reward. However, all reports are reviewed on a case-by-case basis.

The bounties range from $50 to $500 depending on criteria such as the type/severity of the vulnerability, impacted domain(s), potential vulnerability exploits, and vulnerability report submission quality.

In general, Reflected XSS will be considered low severity and awarded with minimum bounty unless other impact is shown.

THE CRITERIA USED TO DETERMINE THE PAYOUT FOR A VULNERABILITY IS SOLELY AT THE DISCRETION OF LOGICALLY.