Contents
<aside>
❤️ To see the outstanding people who have previously reported responsible disclosures, please see our Thank you page
</aside>
The safety of our users and services is critical at LicenceOne.
Despite our best efforts to the contrary, some vulnerabilities may remain in our products and services.
The purpose of this document is to outline our policy regarding vulnerability disclosures. By submitting reports or otherwise participating in security research on LicenceOne, you agree that you have read and will follow the Rules, Submitting vulnerability reports, and Miscellaneous sections of this Policy.
🤗 Safe harbour
LicenceOne will never prosecute any Party submitting a Vulnerability Report if they have fully complied with the Vulnerability Disclosure Policy.
If your security research involves the networks, systems, information, applications, products, or services of another party (which is not controlled by LicenceOne), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.
If legal action is initiated by a third party against you, and you have complied with this Vulnerability Disclosure Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy.
You are expected, as always, to comply with all applicable laws and regulations.
LicenceOne reserves all legal rights in the event of noncompliance with this policy.
🔭 Policy scope
🏳️ Out of scope
- Our marketing website available at https://www.licence.one
- Denial of service (DDoS)
- Systems that we do not control, like the third-party services we use, such as can be seen on https://faq.licence.one and https://feedback.licence.one
- Vulnerabilities affecting users of outdated or unpatched browsers or platforms
- Reports from automated tools or scans
- Vulnerabilities in third-party extensions
- Email security for the licence.one or licenceone.com domain: DMARC, DKIM, SPF
- Email enumeration
- Disclosure of non-sensitive internal IDs, such as user IDs
- Missing best practices in SSL/TLS configuration
- Password, email and account policies, such as email verification, reset link expiration, password complexity
- Methods to extend LicenceOne trial period
- Use of known-vulnerable libraries without proof of exploitation
- Attacks requiring man-in-the-middle (MITM) or access to a users’ device, such as a wireless router and computer
- Login/logout CSRF tokens, unless there is evidence of actual, sensitive user action not protected by a token
- Self-XSS
- Social engineering / phishing of LicenceOne staff or users
- Missing cookie flags on non-sensitive cookies
- Attacks that require attacker app to have the permission to overlay on top of LicenceOne (e.g. clickjacking, tapjacking)
- Session cookie duration
- Missing cookie flags on non-sensitive cookies
- Missing security headers, unless you can show how it leads directly to a vulnerability
- Host header injections, unless you can show how they can lead to stealing user data
- DNSSEC
🛡️ Rules
- ✅ Do encrypt all reports with the encryption keys found in our submission guidelines;
- ✅ Do perform security research without harming LicenceOne, its users, employees, or contractors;
- ✅ Do delete any copies of personally identifiable data obtained as part of security research after your vulnerability report has been submitted and triaged by LicenceOne;
- ✅ Do submit reports by following our submission guidelines;
- ❌ Do not disclose any vulnerabilities before they have been resolved by LicenceOne, and we have emailed you to confirm this;
- ❌ Do not perform any action affecting the normal operation of LicenceOne’s services;
- ❌ Do not perform a distributed denial of service (DDoS) attack;
- ❌ Do not attempt to gain access to or interact with LicenceOne accounts that you have not created yourself;
- ❌ Do not engage in testing or related activities that degrades, damages, or destroys information within our systems
📋 Submitting reports
Report guidelines
PGP encryption key
Report template
Report guidelines
- Reports can be in 🇬🇧 English or 🇫🇷 French;
- Report contents must be encrypted with our public PGP key;
- Please do not upload any content to external services (e.g. YouTube, Loom etc.), even you encrypt the URL;
- Reports must present proof of vulnerability as well as the necessary steps to reproduce it;
- No personally identifiable information of real LicenceOne users should appear in the report;
- The Declarant(s) engages to not publicly disclose the vulnerability without the express permission of LicenceOne;
- The report should be sent through no other channel apart from an encrypted email to security [AATT] licenceone.com;
PGP encryption key (Required)
Report template (Optional)
💌 Our response
LicenceOne will do everything to:
- Provide an answer to all legitimate vulnerability reports within 5 working days;
- Triage all legitimate Vulnerability Disclosures within 15 working days;
- Resolve triaged vulnerabilities within 90 days (depending on impact and product roadmap)
If the reported vulnerability is accepted and triaged:
- Financial compensation may be **awarded to the Declarant(s) at LicenceOne’s sole discretion;
- Any financial compensation amounts that may be awarded to the Declarant(s) remains at LicenceOne’s sole discretion;
- The Declarant(s) may be credited on our public Thank you page managed by LicenceOne;
- After gaining the express permission of LicenceOne, the Declarant(s) may publicly publish their vulnerability report (see Rules)
💰 Compensation
While LicenceOne remains a small company with a small budget, we may also consider financial compensation for vulnerability disclosures that fall into our scope and follow the submission guidelines – it’s only fair.
To determine the severity of a report, LicenceOne uses the Common Vulnerability Scoring System Version 3.1 framework as a guideline; however we may decide to place reports slightly higher or lower (e.g. if they’re edge cases).
Please note these are general guidelines, and reward decisions are up to the sole discretion of LicenceOne.
| CVSSV v3.1 score | Informative (https://licenceone.notion.site/Vulnerability-Disclosure-Policy-7851db919efc41b9bf4c1b127d221ab7) | Low
(0.1 - 4.9) | Medium
(5.0 - 6.9) | High
(7.0 - 8.9) | Critical
(9.0 - 10.0) |
| --- | --- | --- | --- | --- | --- |
| Min. award | €0 | €10 | €25 | €50 | €250 |
| Max. award | €0 | €20 | €100 | €250 | €1000 |
Once LicenceOne has decided to award compensation, you will be required to create a legally compliant invoice to the following company for the reward amount:
LicenceOne SAS
17 rue Isaac Newton
17000 La Rochelle
France
This invoice should contain a line item under the following name:
LicenceOne Bug Bounty Program
Once your invoice has been received, LicenceOne will endeavour to pay said invoice within 30 working days.
🎓 Miscellaneous
- LicenceOne reserves the right to change or modify the Vulnerability Disclosure Policy at any time;
- You may not participate in this program if you are a resident or individual located within a country appearing on any French or European Union sanctions list, or if are listed on the French register of frozen assets;
- LicenceOne employees (including former employees who separated from LicenceOne within the prior 12 months), contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and individuals living in the same household, are not eligible to receive bounties or rewards of any kind under any LicenceOne Vulnerability Disclosure programs;
- LicenceOne does not give permission nor authorization (either implied or explicit) to an individual or group of individuals to:
- Extract personal information or content of LicenceOne users or publicize this information on the open, public-facing internet without user consent;
- Modify or corrupt programs or data belonging to LicenceOne to extract and publicly disclose data belonging to LicenceOne.
Back to top
Thank you