LiveAgent Bug Bounty Program

LiveAgent aims to keep its service safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Service, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details.

LiveAgent will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to the Service of those who discover and report security vulnerabilities responsibly. LiveAgent reserves all of its legal rights in the event of any noncompliance.

Reporting

Share the details of any suspected vulnerabilities with the LiveAgent Development Team by reaching us at support@ladesk.com. Please do not publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include as much information as possible. If you want to submit multiple reports at once, please submit one report only (the most important if possible) and wait for response.

Compensation

We are pleased to offer a bounty for vulnerability information that helps us protect our customers as a thanks to the security researchers who choose to participate in our bug bounty program. The regular bounty reward is $50 per bounty submitted and verified by our dev team.

We will only reward the first reporter of a vulnerability. Any duplicate reports will not be rewarded.

Scope

You may test only against a LiveAgent Account for which you are the Account Owner or an Agent authorized by the Account Owner to conduct such testing. For example:

  • *yourdomain*.ladesk.com

We will reward you for the following types of vulnerabilities:

  • Remote Command Execution (RCE)
  • SQL Injection
  • Broken Authentication
  • Broken Session Management
  • Access Control Bypass
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Open URL Redirection
  • Directory Traversal

Reports of when an attacker can only threat his own account will not be rewarded with bounty. XSS caused by Admin will not be rewarded with bounty.

 

 

Have you find security issue?

If you think you have found a security issue or bug..