Bug Bounty Program Policy
Program Introduction
At lava.top, safeguarding our valued customers and their users is our utmost priority. In line with this dedication, we extend an invitation to security researchers to collaborate with us in fortifying the security of lava.top and the well-being of its users through our proactive bug bounty program. Our program encompasses all lava.top brands and technologies and provides incentives for a diverse range of security vulnerabilities. We wholeheartedly encourage security researchers interested in joining our bug bounty initiative to review this policy for adherence to our guidelines and to facilitate the secure validation of any vulnerabilities you may uncover.
Rules of Engagement
By submitting reports or actively participating in this program, you signify your agreement to have read and committed to abiding by the Program Rules and Legal Terms sections outlined in this program Policy.
Program Rules
Account Ownership: Test vulnerabilities exclusively on accounts you own or have explicit permission from the account holder to assess.
Ethical Use: Do not exploit findings to compromise data or access other systems. Use a proof of concept solely for demonstrating the issue.
Sensitive Data: If sensitive information is accessed during vulnerability testing, it must not be saved, stored, transferred, or accessed beyond initial discovery. Delete all copies of sensitive data immediately and do not retain any.
Non-Disruptive Testing: Researchers must refrain from activities that may disrupt, damage, or harm lava.top, its brands, or its users. This includes avoiding social engineering, phishing, physical security breaches, and denial-of-service attacks against users, employees, or lava.top as a whole.
Program Scope: Adhere to the defined program scope. Only reports submitted to this program against assets within scope will qualify for monetary rewards.
Confidentiality: Researchers may not publicly disclose vulnerabilities, share any details with unauthorized individuals, or disseminate vulnerabilities to third parties without explicit written permission from lava.top.
Violation of these rules can result in ineligibility for a bounty and/or removal from the program. Three strikes will earn you a temporary ban. Four strikes will give you a permanent ban.
Rules of Engagement
By submitting reports or otherwise participating in this program, you agree that you have read and will follow the Program Rules and Legal Terms sections of this program Policy.
Legal Terms
In connection with your participation in this program, you agree to comply with lava.top Terms of Service, lava.top’s Privacy Policy (both available for viewing and download here, and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.
lava.top does not give permission/authorisation (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of lava.top customers and/or their users or to publish this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to lava.top in order to extract and publicly disclose data belonging to lava.top.
lava.top employees (including former employees that separated from lava.top within the prior 12 months), contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any lava.top programs, whether hosted by lava.top or any third party.
Safe Harbour
lava.top will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorise security research in the name of other entities. If legal action is initiated by a third party against you, and you have complied with this Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy.
You are expected, as always, to comply with all applicable laws and regulations.
Please submit a report to lava.top before engaging in conduct that may be inconsistent with or unaddressed by this Policy.
Responsible Disclosure of Vulnerabilities
We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 90 days of being triaged.
The latest version of all currently supported products and services provided by lava.top are included in our bug bounty program. Please review the program scope before submitting a report. Private scope is accessible to invited researchers only.
Testing
At lava.top and in collaboration with our hosting partners, substantial volumes of data flow to and from our web services daily. During your testing endeavors, you can facilitate the differentiation of your testing traffic from our standard data streams and potential malicious activity originating elsewhere. To ensure a smooth experience when participating in lava.top's bug bounty programs, kindly observe the following guidelines:
- Whenever feasible, use your primary email address, the one you commonly use to communicate with lava.top, when registering accounts.
- Include your IP address within the bug report. Please note that we treat this information as confidential and solely utilize it for reviewing logs relevant to your testing activities.
- Integrate a personalized HTTP header into all your web traffic. Tools like Burp and other proxies offer convenient ways to automatically append headers to outbound requests. Inform us of the specific header you've configured to enable us to readily identify your traffic.
| Identifier | Format | Example |
| Your Username | X-Bug-Bounty: | X-Bug-Bounty: myemailaddress@domai n.com |
| Unique Identifier | X-Bug- Bounty:uuid | X-Bug-Bounty: 17a3c1db-8d05-49fa- ae76-a7a5ce15f464 |
| Tool Identifier | X-Bug-Bounty:- version- | X-Bug-Bounty: BurpSuitePro- version-2020.1 |
When testing for a bug, please also keep in mind:
- Only use authorized accounts so as not to inadvertently compromise the privacy of our users.
- When attempting to demonstrate root permissions with the following primitives in a vulnerable process, please provide the following:
- Read: The contents of the file /proc/1/maps, or any other such sensitive file that you deem demonstrates the vulnerability.
- Write: Create or modify the file (including metadata such as creation/modification times) /root/<your username>*or a location you can write to whilst maintaining compliance with this policy.
- Execute: ID, hostname, pwd (or any other shell level command that you deem demonstrates a vulnerability).
- Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools – these tools include payloads that could trigger state changes or damage production systems and/or data.
- Before causing damage or potential damage: Stop, report what you’ve found and request additional testing permission.
Crafting a Report
If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:
- Description of the Vulnerability:
Provide a concise yet detailed description of the vulnerability you've identified.
- Steps to Reproduce the Reported Vulnerability:
List the step-by-step instructions required to replicate the vulnerability, making it easy for the recipient to understand and recreate the issue.
- Proof of Exploitability (e.g., Screenshot, Video):
Include any visual or audio evidence that demonstrates the vulnerability's exploitability. This could be in the form of screenshots, videos, or any other relevant media.
- Perceived Impact to Another User or the Organization:
Explain the potential consequences and implications of this vulnerability on another user or the overall organization's security.
- Proposed CVSSv3 Vector & Score (without Environmental and Temporal Modifiers):
Suggest a Common Vulnerability Scoring System (CVSS) vector and score for the vulnerability, excluding environmental and temporal modifiers.
- List of URLs and Affected Parameters:
Provide a list of URLs and specify the affected parameters where the vulnerability exists.
- Other Vulnerable URLs, Additional Payloads, Proof-of-Concept Code:
Include any additional information, URLs, payloads, or Proof-of-Concept code that can help in understanding and resolving the vulnerability.
- Browser, OS, and/or App Version Used During Testing:
Specify the browser, operating system, and/or application versions you utilized while testing to ensure accurate replication.
Note: Failure to adhere to these minimum requirements may result in the loss of a reward.
All supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services. Please submit all security reports as an email, with attachments, to security@lava.top.
Program Scope
If you encounter vulnerabilities on specific websites or services, please report them only if they are listed as 'in scope.' For a comprehensive list of assets covered by this program, please refer to our detailed scope list located at the bottom of this page. Kindly note that this list may be updated without prior notice
If you’ve found a vulnerability that affects an asset belonging to lava.top, but is not included as in scope on any of the lava.top programs, please report it to security@lava.top.
Rewards
Eligibility for a bounty is contingent upon being the first individual to disclose an unknown issue. Qualifying bugs will be rewarded based on their severity, a determination made solely by lava.top. The issuance of rewards is entirely at the discretion of lava.top and will be disbursed within 90 days after lava.top confirms and awards the bounty to the researcher.
At the discretion of lava.top, providing more comprehensive research, proof-of-concept code, and detailed write-ups may lead to an increased bounty amount. Conversely, lava.top may offer reduced rewards for vulnerabilities that involve intricate or overly complex interactions or for issues with negligible security risks. Rewards may be declined if there is evidence of program policy violations. Reports that mimic a potential vulnerability will not qualify for a bounty. It's important to note that reports related to third-party software may not be eligible for bounties, subject to lava.top's discretion.
Payout Table
Where a monetary bounty is presented, eligible reports will be awarded based on severity after identifying final impact, as determined by lava.top.
| Severity | Payout (USD) |
| Critical | $1,000 |
| High | $300 |
| Medium | $150 |
| Low | $35 |
| Informative | $0 |
Valued Vulnerabilities
All reports will be awarded based on the Common Weakness Enumeration classification. This table provides the CWEs that we will accept, the severity ranges we will classify reports within for the CWE, and some examples of common vulnerability and attack names that we classify within each CWE that we will accept. This table serves only as a guide and the severity classification of a particular vulnerability will be determined by lava.top in its sole discretion.
Note: Non-listed vulnerabilities may also be eligible. Some vulnerability types may fall under a variety of severity ratings determined by scope/scale of exploitation and impact.
| Critical | Critical | CWE-78 | OS Command Injection | Remote Code Execution; Code Injection; LDAP Injection |
| High | Critical | CWE-120 | Classic Buffer Overflow | Buffer Overflow |
| High | Critical | CWE-89 | SQL Injection | SQL Injection |
| Medium | Critical | CWE-918 | Server-Side Request Forgery | SSRF (unrestricted); Content-Restricted SSRF; Error-based SSRF (true/false); Blind SSRF |
| Medium | Critical | CWE-732 | Incorrect Permission Assignment for Critical Resource | IDOR; Horizontal Privilege Escalation; Vertical Privilege Escalation |
| Low | Critical | CWE-91 | XML Injection | XML Injection |
| Medium | Critical | CWE-611 | Improper Restriction of XML External Entity Reference | XXE |
| High | Critical | CWE-134 | Uncontrolled Format String | Insecure Deserialization |
| High | Critical | CWE-250 | Execution with Unnecessary Privileges | Privilege Escalation to System Account |
| Low | High | CWE-444 | Inconsistent Interpretation of HTTP Requests | HTTP Request Smuggling |
| Low | Critical | CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | Server Side Includes Injection; Local File Inclusion; Directory Traversal |
| Medium | High | CWE-306 | Missing Authentication for Critical Function | Exposed Administrative Interface |
| Medium | Critical | CWE-862 | Missing Authorization | Horizontal Privilege Escalation; Vertical Privilege Escalation; IDOR |
| Informative | Critical | CWE-200 | Information Exposure | User Enumeration with PII; Credentials on GitHub; Confidential Information Exposure |
| Informative | High | CWE-863 | Incorrect Authorization | Authorization Bypass; Account Takeover; Social Media Takeover (Brand, <12mo); Social Media Takeover (Personal); Social Media Takeover (Brand, >12mo) |
| Medium | High | CWE-798 | Use of Hard-coded Credentials | Hard Coded Credentials |
| Informative | High | CWE-434 | Unrestricted Upload of File with Dangerous Type | Unfiltered File Upload |
| Low | High | CWE-203 | Information Exposure Through Discrepancy | PHP Admin Information page; MySQL Information page (w/ credentials); Apache Status page |
| Medium | Medium | CWE-494 | Download of Code Without Integrity Check | S3 Bucket Upload |
| Low | Medium | CWE-311 | Missing Encryption of Sensitive Data | Cleartext Submission of Passwords |
| Low | Medium | CWE-807 | Reliance on Untrusted Inputs in a Security Decision | |
| Low | Medium | CWE-79 | Cross-Site Scripting | Stored XSS; POST-Based XSS; GET-Based XSS; DOM-Based XSS; CSS Injection |
| Medium | Medium | CWE-352 | Cross-Site Request Forgery | State-Changing CSRF; Non-State-Changing CSRF |
| Low | Medium | CWE-16 | Misconfiguration | Subdomain Takeover; Dangling DNS Record |
| Medium | Medium | CWE-93 | CRLF Injection | CRLF Injection |
| Low | Low | CWE-601 | Open Redirect | Open Redirect |
| Informative | Low | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | Weak CAPTCHA |
| Informative | Low | CWE-307 | Improper Restriction of Excessive Authentication Attempts | Lack of Rate Limiting on Login; CAPTCHA Bypass |
Borderline Out-of-Scope, No Bounty
These issues are eligible for submission, but not eligible for bounty or any award. Once triaged, they will be closed as Informative only if found to be valid or Spam if found to be not valid. When reporting vulnerabilities, please consider (1) attack scenario/exploitability and (2) security impact of the bug.
| Any non-lava.top Applications | “Self” XSS |
| Missing Security Best Practices | HTTP Host Header XSS |
| Confidential Information Leakage | Clickjacking/UI Redressing |
| Use of known-vulnerable library (without proof of exploitability) | Intentional Open Redirects |
| Missing cookie flags | Reflected file download |
| SSL/TLS Best Practices | Incomplete/Missing SPF/DKIM/DMARC |
| Physical attacks | Social Engineering attacks |
| Results of automated scanners | Login/Logout/Unauthenticated CSRF |
| Autocomplete attribute on web forms | Using unreported vulnerabilities |
| “Self” exploitation | Issues related to networking protocols |
| Flash-based XSS | Software Version Disclosure |
| Verbose error pages (without proof of exploitability) | Denial of Service attacks |
| lava.top software that is End of Life or no longer supported | Account/email Enumeration |
| Missing Security HTTP Headers (without proof of exploitability) | Internal pivoting, scanning, exploiting, or exfiltrating data |
Note: Without permission, this disclosure will be considered a malicious act with all consequences.
Do Not Report
The following issues are considered out of scope:
- Those that resolve to third-party services.
- Issues that we are already aware of or have been previously reported.
- Issues that require unlikely user interaction.
- Disclosure of information that does not present a significant risk.
- Cross-site Request Forgery with minimal security impact.
- CSV injection.
- General best practice concerns.
- All Flash-related bugs.
Special Situations
Same Bug, Different Host
For each report, please allow lava.top sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report to receive an additional 5% bonus (per host, not domain). Any reports filed separately, while we are actively working to resolve the issue, will be treated as a duplicate.
Same Payload, Different Parameter
In some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.
Scopes
In Scope
| Domain | *.lava.top, including www.lava.top within the scope listed below. Excluding billing.lava.top | Critical | Eligible |
| Source code | All lava.top code shipped with it’s product, both source and binaries (in binary form) as supplied.Only the latest versions of the currently shipped and supported products are in scope. | Critical | Eligible |
| Service | All lava.top Hosted services, both public and private cloud installations. | Critical | Eligible |
| Service | All lava.top supplied customer service portals, third-party components excluded. | Critical | Eligible |
| Website | www.lava.top, limited to the contents being served from this website, and not third-party components that may present as accessible via this website. | Critical | Eligible |
Out of Scope
| Domain | Any domain that is an alias (CNAME) for a third-party system, or is being proxied through a CDN such as Cloudflare directly to a third-party platform. e.g. billing.lava.top, success.lava.top, status.lava.top. |
| Other | All third party services associated with lava.top services. |
Questions
Any questions about lava.top’s Bug Bounty Program can be directed to security@lava.top. Thank you.
1055, Nicosia, Cyprus
Developed by Lava Technology LLC.