Responsible Disclosure
At lightnlens, we take the security of our website and services seriously. We appreciate the security
research community's efforts in helping us maintain the security and privacy of our users.
What We're Looking For
We're interested in reports regarding:
- Cross-Site Scripting (XSS) vulnerabilities
- Cross-Site Request Forgery (CSRF) vulnerabilities
- SQL injection vulnerabilities
- Authentication or authorization flaws
- Server-side code execution vulnerabilities
- Payment processing security issues
- Significant security misconfigurations
- Data exposure or privacy concerns
- Other vulnerabilities with a clear security impact
Reporting Guidelines
When reporting a security issue, please include:
- Description: A clear description of the vulnerability
- Impact: The potential impact and severity of the issue
- Steps to Reproduce: Detailed steps to reproduce the vulnerability
- Proof of Concept: Screenshots, videos, or code samples demonstrating the issue
- Your Contact Information: So we can follow up with questions or updates
What We Ask From You
- Give us reasonable time to investigate and address the issue before public disclosure (we aim to respond within 48 hours and resolve within 30 days)
- Make a good faith effort to avoid privacy violations, data destruction, and service interruption
- Do not access or modify other users' data
- Do not perform actions that could harm the reliability or integrity of our services
- Do not use social engineering or physical attacks against our staff or infrastructure
- Keep the vulnerability information confidential until we've resolved it
What You Can Expect From Us
- Acknowledgement: We'll acknowledge receipt of your report within 48 hours
- Communication: We'll keep you updated on our progress addressing the issue
- Credit: If you wish, we'll publicly acknowledge your responsible disclosure after the issue is resolved
- No Legal Action: We won't pursue legal action against researchers who follow these guidelines
Out of Scope
The following are generally not considered security vulnerabilities:
- Denial of Service (DoS) attacks
- Social engineering attacks against our staff or users
- Reports from automated tools without validation
- Issues that require physical access to a user's device
- Missing security headers without a demonstrated vulnerability
- Missing rate limiting without a demonstrated vulnerability
- Reports of insecure SSL/TLS ciphers that don't affect modern browsers
- Lack of CSRF tokens on forms that don't contain sensitive operations
- Clickjacking on pages without sensitive actions
- Disclosure of non-sensitive information (e.g., server version numbers)
Security Best Practices
We implement industry-standard security measures including:
- HTTPS: All pages are served over encrypted connections
- Secure Payment Processing: Payments are processed by Stripe, a PCI-compliant payment processor
- Data Protection: Personal data is handled according to our Privacy Policy
- Regular Updates: We keep our dependencies and infrastructure up to date
- Access Controls: We implement appropriate access controls and authentication mechanisms
- Security Monitoring: We monitor our systems for suspicious activity
Contact Information
Thank you for helping us keep lightnlens and our users safe!
We appreciate the work of security researchers and are committed to working with the community to maintain a secure platform.