Please disclose responsibly
At LetsBuild, the security of our users and our platform comes first. If you believe that you have discovered a potential vulnerability on our platform or in any APIs, apps or LetsBuild service, we would appreciate your help in fixing it fast by revealing your findings in accordance with this policy.
Going public with security vulnerabilities can elevate the level of risk, so we urge you to keep such matters private until they can be addressed.
Reporting to LetsBuild
If you believe that you have found a security vulnerability on LetsBuild, please let us know right away at security@letsbuild.com.
It’s most helpful to provide as much information as possible, especially a way for us to reproduce the issue. DO NOT provide any personally identifiable information and/or credit-card data.
We will do our best to confirm receipt of valid reports by the next business day; a LetsBuild team member will investigate within a week and correspond with you if necessary.
Please consider the potential damage to others and don’t disclose or share your matter publicly until we have been able to investigate and respond.
What’s research and what crosses the line?
We welcome information from white-hat researchers. Responsible actions and revelations regarding LetsBuild are not of legal concern. Nevertheless, the following actions are not acceptable and will be reported to the proper authorities:
- Seeking to modify or destroy data
- Seeking to interrupt or degrade the services we offer to users
- Seeking to execute a Denial of Service attack
- Seeking access to user accounts or data (instead, create test projects and users as needed)
- Research that violates any applicable laws
- Please test only for vulnerabilities on LetsBuild systems. Areas hosted by third parties (e.g., blog.LetsBuild.com) are outside the scope of this policy.
Reward offered
Responsible research that reveals qualifying issues in accordance with this policy could be eligible for swag and/or inclusion in our Hall of Fame.
Qualifying issues include web vulnerabilities exposed during a valid attack scenario that has significant impact on our users or our platform. Examples of such vulnerabilities could be:
- Authentication flaws
- Circumventing of platform and/or privacy permissions
- Privilege escalations
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- SQL injection
- Arbitrary redirects
- Server-side code execution (RCE)
Issues that do not qualify include the following:
- User enumeration
- Denial of Service (DoS)
- Minor information disclosures (e.g., server software/version)
- Issues with outdated or unpatched browsers
- Lack of the Secure flag on nonsensitive cookies
- Lack of the HTTP Only flag on nonsensitive cookies
- Security vulnerabilities in third-party websites and applications that integrate with LetsBuild
- Vulnerabilities requiring a potential victim to install nonstandard software or otherwise take steps to become susceptible to attack
- Social engineering of vulnerabilities requiring very unlikely user interactions
- Findings primarily from social engineering (e.g., phishing, vishing)
- Findings from physical testing such as office access (e.g., open doors, tailgating)
- UI/UX bugs and spelling mistakes
- Spamming
Whether an issue is indeed qualifying, and whether a reward or inclusion in our Hall of Fame is merited are decisions made at LetsBuild’s discretion. Only the first researcher to report a specific qualifying issue may be eligible for swag – and/or inclusion in our Hall of Fame, and we reserve the right to cancel this program at any time.
The only eligible domains for exploration are:
- letsbuild.com
- www.letsbuild.com
- aproplan.letsbuild.com with any subdomains
- geniebelt.letsbuild.com with any subdomains
Hall of fame
We would like to give a massive shout-out to everyone in the hall of fame for their hard work in finding security vulnerabilities and disclosing them responsibly.