Security

Responsible Disclosure Policy

We value your help in keeping Lodol secure. Learn how to report vulnerabilities responsibly and what you can expect from us.

Last updated: May 3, 2025

1. Purpose

At Lodol, security is fundamental to our mission. We believe in working together with security researchers to identify and fix potential vulnerabilities in a responsible manner. This policy outlines how to report security issues, what we consider in scope, and what you can expect from us.

2. Scope

This policy applies to Lodol's internet-facing systems, including our web applications, APIs, browser extension, and core infrastructure. This policy does not apply to services, software, or infrastructure not owned or operated by Lodol, including third-party vendors, integrations, or dependencies. For those systems, please report issues to the appropriate vendor.

In-scope vulnerabilities include:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Authentication bypass
  • Privilege escalation
  • Insecure direct object references (IDOR)
  • SQL injection or NoSQL injection
  • Server-side request forgery (SSRF)
  • Remote code execution (RCE)
  • Directory traversal
  • Significant misconfigurations (e.g. exposed admin panels, unrestricted CORS)
  • Exposure of sensitive data (PII, credentials, etc.)

Out-of-scope (unless demonstrably impactful):

  • Rate limiting issues
  • Clickjacking on static or non-sensitive content
  • Public zero-day issues with no patch
  • Denial-of-service (DoS) attacks
  • Missing security headers or cookie flags
  • Physical or insider attacks
  • Social engineering or phishing

3. How to Report a Vulnerability

If you believe you've found a security issue, please email us at vulnerability@lodol.com with:

  • A clear summary of the vulnerability
  • Steps to reproduce
  • Impacted systems or endpoints
  • Any proof-of-concept code, screenshots, or logs
  • Potential impact

Testing Guidelines

  • Test only on in-scope assets.
  • Do not access, modify, or delete user data.
  • Do not use high-volume automated scanners.
  • Do not disrupt services or degrade user experience.
  • If any personal data (e.g. names, emails, account info) is accessed, do not store or share it. Immediately cease testing and include a description in your report.
  • If unsure, ask before proceeding.

4. What to Expect from Us

We will aim to acknowledge your report within three (3) business days. If valid, we will investigate and will aim to collaborate with you on resolution and coordinated disclosure. If your report leads to a fix, we may credit you publicly (with permission) once resolved.

At this time, Lodol does not offer monetary rewards or bug bounties. This policy is intended to foster open and responsible collaboration with the security community.

With your consent, we may include your name or handle on future public disclosures. We respect your privacy and will not disclose your identity without permission unless required by law.

5. Safe Harbor & Legal Protections

"Good faith" means that your actions are intended to improve security, not cause harm, and that you promptly report all findings without seeking to exploit them.

We will not pursue legal action against security researchers who:

  • Act in good faith and follow this policy
  • Report vulnerabilities without exploiting or disclosing them
  • Make reasonable efforts to avoid privacy violations and service disruption
  • Do not access or retain sensitive data
  • Comply with all applicable laws and export restrictions
  • Are not located in countries which are subject to U.S. sanctions or on prohibited U.S. government lists

If you inadvertently access sensitive data (e.g. personal information), stop testing and notify us immediately. Do not download, retain, or share the data. We will treat the report as a good-faith effort.

If your testing might fall into a gray area, please reach out before testing to ensure protection under this policy.

We do not impose any contractual or legal restrictions that would prevent researchers from disclosing vulnerabilities after the agreed timeline. Lodol will never require nondisclosure agreements or retaliate against individuals who act in accordance with this policy.

You are free to report similar vulnerabilities to other affected vendors or services. Lodol does not seek or require exclusivity in disclosure.

This policy is governed by the laws of the State of California and the United States. Any disputes arising from or related to this policy will be resolved in the courts of Santa Clara County, California.

While we aim to protect responsible researchers under this policy, this does not grant immunity from legal action taken by third parties, government authorities, or in cases of malicious behavior. This policy does not constitute a waiver of any legal rights Lodol may have.

6. Coordinated Disclosure

Please allow us up to 90 days to validate, fix, and deploy patches before you publicly disclose the issue. If additional time is needed, we will coordinate with you.

7. Policy Updates

We may revise this policy as needed to reflect changes to our systems, practices, or legal requirements. Updates will appear on this page with a revised "Last updated" date. By continuing to engage in security research on Lodol systems, you agree to the latest version of this policy. Reports submitted before changes will be evaluated under the version active at the time of submission.