The Lexzur bug bounty program is designed to incentivize researchers and other members of the security community to report vulnerabilities in our systems. We offer rewards in the form of cash or other incentives for successfully identifying and disclosing vulnerabilities.
Scope
The scope of this bug bounty program includes all publicly accessible systems and services provided by Lexzur, including web and mobile applications, API endpoints, and other publicly accessible systems.
The following types of vulnerabilities will only be rewarded:
- Cross-site scripting (XSS)
- Cross-site Request Forgery (CSRF)
- SQL injection
- Remote code execution (RCE)
Eligibility
To be eligible to participate in this bug bounty program, researchers must:
- Be 18 years of age or older
- Not be a current or former employee of Lexzur or any of its affiliates
Rules
- Do not access or attempt to access sensitive data
- Do not perform any actions that could harm our systems or users
- Do not use any vulnerabilities contingent on social engineering, spamming, DDOS attack or other similar types of exploitation
- Do not use similar technique that has already been reported and rewarded, subsequent reports of the same nature will not be eligible for additional rewards
- 0-day vulnerabilities less than 30/60/90 days from patch release are ineligible for bounty
Submission Guidelines
- Provide detailed steps to reproduce the vulnerability
- Proof of Concept, Include any supporting evidence, such as screenshots or videos
- Include Impact of the issue and how an attacker could exploit the issue
- Affected target, feature, or URL
If your report doesn’t include the necessary information to allow us to reproduce the issue, we may not be able to accept your report or evaluate it for a bounty
Reporting
Researchers who believe they have discovered a potential vulnerability in Lexzur's systems should report it to our security team via the email address sec@lexzur.com
If similar vulnerabilities are reported, the payment may be split among those reporters, or it may be awarded to the first person who reported it.
Responsible Disclosure
Researchers are expected to follow responsible disclosure practices when reporting vulnerabilities. This means that researchers should not publicly disclose the vulnerability or exploit it for any purpose other than to demonstrate its existence to Lexzur's security team
Lexzur reserves the right to immediately remove you from the Bug Bounty program if you violate any of these terms and conditions as determined by Lexzur. This includes sending any harassing, threatening, or unlawful messages to Lexzur. Any such messages may be reported to relevant law enforcement entities.
To the maximum extent permitted by law, Lexzur and its officers, directors, employees, partners, affiliated companies, subsidiaries, suppliers, distributors, advertising and promotional agencies, agents. shall not be liable for any indirect, incidental, consequential, special, or punitive damages arising out of or in connection with your participation in the Program.
By participating in this bug bounty program, researchers agree to these terms and conditions. Lexzur reserves the right to modify or terminate this program at any time
Management And Triage
All incoming reports will be reviewed and triaged by our security team. We will provide timely responses to participants, and will promptly pay out rewards for eligible vulnerabilities.
Rewards
Lexzur will offer rewards for eligible vulnerabilities according to the following schedule:
- Critical vulnerabilities: $100
- High severity vulnerabilities: $75
- Medium severity vulnerabilities: $50
- Low severity vulnerabilities: $30
The payment processing will initiate once the bug bounty validation has been completed and is expected to take around 30 working days to finalize.
Lexzur reserves the right to validate/reject the reported vulnerability with a valid reason or to determine the severity of a vulnerability and the amount of the reward.