At LoyaltyLion, we take security seriously and value the contributions of the security community. If you believe you have discovered a vulnerability in our systems, products, or services, we encourage you to report it responsibly.
Please report any potential vulnerabilities to the following:
When reporting, please provide as much detail as possible, including:
A detailed description of the vulnerability.
Steps to reproduce the issue.
Potential impact assessment.
Any supporting materials (screenshots, proof of concept code, etc.).
Scope
The following are considered in-scope for our vulnerability disclosure program:
Web applications operated by LoyaltyLion.
LoyaltyLion APIs.
Public-facing systems and services owned by LoyaltyLion.
Out-of-scope testing includes (but is not limited to):
Social engineering attacks (e.g., phishing employees).
Physical security attacks.
Denial of service (DoS) or resource exhaustion attacks.
Use of automated scanners that generate large amounts of traffic.
Acknowledgement Timelines
We aim to:
Acknowledge receipt of vulnerability reports within two business days.
Provide an initial assessment within five business days of acknowledgement.
Vulnerability Assessment and Prioritization
Upon receiving a report, LoyaltyLion will assess the vulnerability based on several factors, including:
Severity and exploitability.
Exposure of sensitive data or systems.
Mitigation possibilities (e.g., network protections like firewalls and proxies).
Usage of the vulnerable component within our application.
We may adjust remediation priorities accordingly if a vulnerability is determined to be low-risk or not directly exploitable (e.g., protected behind multiple layers of security or unused code paths).
Severity is generally categorised as follows:
Critical: Remote code execution, unauthorised access to sensitive data, critical service disruption.
High: Significant security impact without full system compromise.
Medium: Limited impact or requiring significant user interaction.
Low: Minor issues with negligible impact.
Remediation Timelines
We are committed to promptly resolving valid security issues. Our target timelines for remediation are:
Critical: Within 7 calendar days of validation
High: Within 14 calendar days of validation
Medium: Within 30 calendar days of validation
Low: Within 90 calendar days of validation
In cases where patching is not immediately feasible (e.g., due to the need for substantial application changes), we will:
Assess the actual exploitability.
Implement compensating controls or mitigations if necessary.
Communicate expected timelines to the reporter (if applicable).
Public Disclosure Policy
We request that reporters not publicly disclose vulnerabilities until we have had a reasonable opportunity to address the issue. Coordination and mutual agreement on disclosure timelines are encouraged.
We are committed to working with researchers to coordinate public disclosures, ensuring that vulnerabilities are remediated before full details are shared publicly.
Safe Harbor
LoyaltyLion supports responsible security research. We will not pursue legal action against individuals who:
Engage in testing in good faith.
Report vulnerabilities through the appropriate channel.
Avoid violating user privacy, degrading user experience, or disrupting production systems.
Internal Security Processes
LoyaltyLion employs continuous automated scanning and monitoring, including:
GitHub Dependabot alerts across our repositories.
Automatic pull requests for vulnerable dependency updates.
Risk-based assessment and mitigation prioritisation.
Our goal is to maintain the highest security standards across all environments.
Managing your program
