Bug Bounty Policy (September 6, 2017)

September 6, 2017 -

If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialog, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.

Rules

Helpful Hints

Destructive/Invasive Attacks

All of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it… just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that we cannot reproduce in production (legalrobot.com) will not be accepted.

Ineligible Reports

Disclosure

In the interest of transparency, it is our policy to at least ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we’re happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we’ll also do Full Disclosure if there is a possibility that we’ve been unfair to a researcher (marked as Spam, Locked Report, etc).

Duplicates

We want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.

Questions

For any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).

Thanks & Compensation

We believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily acknowledge your contribution. We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.