White Hat Bug Bounty Program
Earn money and recognition for your responsible disclosures
LaunchKey fully supports and values the security research community. As such, we encourage security researchers to
responsibly disclose security vulnerabilities after reviewing our responsible disclosure policy and bug bounty
guidelines found on this page.
Responsible Disclosure Policy
Responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users and
developers. Responsible disclosure includes:
- Provide us with a reasonable amount of time to fix the security vulnerability before publishing your find
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our
service during your research and testing
- Only target accounts you have created for the purpose of your security research, and never attempt to access or
disrupt another user's service
We will not bring legal action against any researcher who discloses security vulnerabilities using the responsible
disclosure guidelines above.
To show our appreciation and respect to the security researchers whom volunteer their time to improving our service, we offer a monetary bounty for certain security bugs.
In addition to adhering to our Responsible Disclosure Policy above, to qualify for a bounty reward you must be the first individual to responsibly disclose the bug, and report a security vulnerability that could compromise the integrity of LaunchKey services or user data, circumvent privacy protections, or enable access to systems within LaunchKey. Our bug bounty also covers SDKs, libraries and plugins developed and supported by LaunchKey, but excludes third party developed libraries, plugins, etc.
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Authentication Flaws (e.g. LaunchKey OAuth bugs)
- Remote Code Execution
- Privilege Escalation
- Code Injection
Typically, the following types of bugs are not eligible for a bounty:
- Security vulnerabilities on sites hosted by third parties unless they lead to a
vulnerability on a LaunchKey-hosted site
- Security vulnerabilities in third party applications which use the LaunchKey API
- Security vulnerabilities in third party plugins, libraries or tools that use the LaunchKey API
- Denial of service (DoS)
- Social Engineering
- Bugs affecting outdated or unpatched browsers
- Biometric forgeries
- The minimum bounty for a qualifying security vulnerability is $200 USD
- There is no maximum bounty; the value of the bounty is based on a combination of the severity of the bug and
creativity of the exploit
- Receive payment by: check (if U.S. citizen); PayPal; or Bitcoin (BTC) transfer
- Only 1 bounty per bug will be awarded
- Security researchers who don't want to collect a bounty may have their reward donated to an approved charity upon
- You must reside in a country not under any
current U.S. Sanctions
to qualify for a reward.
How to Report a Bug
If you believe you've discovered a security vulnerability in LaunchKey, you may responsibly disclose your find by
sending an email to firstname.lastname@example.org using our optional PGP key below. Please include the following details with your disclosure:
- Description of vulnerability and potential impact
- Detailed description of steps taken to reproduce the bug or proof of concept
- Name and/or link for (optional) attribution on this page
If you'd like to encrypt your communications with LaunchKey, please use our PGP key below. All security-related emails from LaunchKey will be signed with this key.
|Fingerprint:||4A82 44D7 A524 8C63 BEAF C7DB 8391 6F05 1515 DF88
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
Hall of Fame
On behalf of our users and developers, we would like to formally thank the following individuals for their responsible disclosures:
LaunchKey links to user contributed code as a resource to its community. LaunchKey does not in any way
guarantee or warrant the quality and security of these code bases. User contributed code is supported by the
creators. If you do find a link from the site to user contributed code that is malicious or inappropriate in any
way, please report that link to LaunchKey immediately and we will investigate the claim. Submit any issue to
LaunchKey support at https://launchkey.com./support.