Responsible Vulnerability Disclosure Policy

Last updated on Apr 20, 2021

  • Locus works closely with security researchers to identify and fix any security vulnerabilities in our infrastructure and products. If you believe you have found a security issue, we encourage you to notify us and work with us on the lines of this disclosure policy.
  • Let us know as soon as you discover a potential security issue. Depending on the severity, these issues will be given the appropriate priority. Do not publicly disclose part, or all of the vulnerability until we have had a chance to investigate and remediate it with you.
  • Notify us on ​security@locus.sh. If you believe you have found a vulnerability that affects confidential information (such as customer data, source-code, credentials etc.), or personally identifiable information, please confirm the potential issue with our team prior to attempting to gain access to the information or downloading any confidential data.
  • In case if you discovered any personally identifiable information, do not disclose any such information to any third party.
  • Do not retain any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
  • Attacks that are expressly out of scope include:
    • Denial of Service
    • Spam
    • Social-engineering / phishing Locus staff
    • Physical security testing of Locus premises or data centers
    • Attacks that destroy or corrupt data, information or infrastructure, or put our customers, or the public at large at risk
    • Attacks that misrepresent Locus to other parties
    • Attacks on third party services
  • Locus will acknowledge receipt of a security report before the end of the following business day, and will then work with you to remediate any vulnerabilities. We publicly acknowledge security researchers who follow this responsible disclosure policy depending on the severity of the vulnerability reported, and may include them in our private bounty program which has additional scope, access, and rewards.
  • In case you are uncertain of the rules of engagement, or anything else related to how to work with us on security issues, please write to us on security@locus.sh beforehand. It’s always better to seek clarification first.
  • Locus will not entertain any bug reports where additional details or disclosure are contingent on commercial reward. We would consider this a (rather unethical) commercial penetration test solicitation, not good faith security research. However, Locus will issue appreciative rewards based on the CVSS rating of the vulnerability. It is advised to include CVSS rating along with the PoC report.
  • Locus typically only considers “High” or “Medium” severity issues. Here is an indicative list of issues that are not considered:
    • Issues found through automated testing
    • “Scanner output” or scanner-generated reports
    • Presence of banner or version information
    • OPTIONS / TRACE HTTP method enabled
    • XML-RPC presence / issues
    • Publicly-released bugs within 3 days of their disclosure
    • “Advisory” or “Informational” reports such as user enumeration
    • Vulnerabilities requiring physical access to a system
    • Denial of Service (DoS and DDoS) attacks
    • Missing CAPTCHAs
    • Default web-server pages
    • Brute-force attacks
    • Spam or social engineering techniques, including:

      • SPF, DKIM,DMARC issues
      • Content injection
      • Hyperlink injection in emails
      • IDN homograph attacks
      • RTL Ambiguity
    • Content Spoofing
    • Issues relating to password policy
    • Full-path disclosure
    • Version number information disclosure
    • Clickjacking / frame-redressing
    • CSRF-able actions that do not require authentication (or a session) to exploit
    • Issues on 3rd-party subdomains / domains of services we use. (Please report those issues to the appropriate service.)
    • Reports related to the following security-related headers:

      • Strict Transport Security (HSTS)
      • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
      • X-Content-Type-Options
      • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Turn-around time for “High”, “Medium” and “Low” risk vulnerabilities are 1-week, 2-weeks and 4-6 weeks respectively. Expect a response from us accordingly.

Hall of Fame

While Locus does not provide rewards for responsibly disclosing unique vulnerabilities and collaborating with us on remediation, we want to express our deepest gratitude to the security researchers publicly. Your names will be proudly featured in our Hall of Fame, a testament to the significant impact of your contributions.

Locus genuinely acknowledges the exceptional efforts of the individuals in our responsible disclosure program. We extend our sincerest thanks to each one of you for your invaluable dedication.