Bug Bounty Policy (September 8, 2016)

September 8, 2016 -

If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.

Rules

Use good judgment (except as outlined below in “Destructive/Invasive Attacks”):

As long as your research stays within the bounds of these criteria, we welcome the dialog and promise not to take legal action.

Attributes of a Good Report

Scope

We welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly accessible (like legalrobot.s3.amazonaws.com).

Not in scope: the legalrobot.ideas.aha.io domain. Also, any mail server issues are out of scope on the legalrobot-uat.com domain.

We are particularly interested in problems that allow unauthorized access to other user’s documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).

Destructive/Invasive Attacks

We provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it… just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers. If this server is offline send us a note at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.

Automated Testing

We do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.

Annoying Tests

Submitting form data like “><img src=M onerror=prompt(1);>” just annoys us. It’s a waste of our time and yours because we obviously sanitize inputs. Related: don’t deface our blog comments with XSS attempts - we use Disqus for comments, so we wouldn’t have any control over those components anyway.

Ineligible Reports

Thanks & Compensation

We believe in recognizing the work of others. If your work helps us improve the security of our service, we’d be happy to acknowledge your contribution. In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.