VULNERABILITY DISCLOSURE PROGRAM
Find security issues in LuminPDF and get a reward.
POLICY
The following guidelines give you an idea of what we usually pay out for different classes of security issues.
Low-quality issues may be rewarded below these tiers, so please make sure that there is enough information for us to be able to reproduce your issue and step-by-step instructions including how to reproduce your issue. Screenshots are also helpful, but please make sure to not make these public before submitting them to follow our program’s rules.
REWARDS
MOST CRITICAL
CRITICAL
HIGH
MEDIUM
LOW
600 USD - 1200 USD
400 USD - 600 USD
200 USD
100 USD
50 USD
RULES FOR REPORTING
  • Report a qualifying vulnerability that is in the scope of our program (below).
  • Be the first person to report the vulnerability.
  • Be reasonable with automated scanning methods so as to not degrade services.
  • Refrain from disclosing the vulnerability until we've addressed it.
  • NEVER try to gain access to a real user's account or data.
  • You must not leak, manipulate, or destroy any user data.
  • Do not impact users with your testing.
IN SCOPE
OUT OF SCOPE
WHAT WE ARE LOOKING FOR
  • Cross site scripting (XSS)
  • Cross site request forgery (CSRF)
  • Insecure direct object reference (IDOR)
  • Account takeovers
  • SQL Injection
  • Authentication flaws
  • Remote code execution (RCE)
  • Server side request forgery (SSRF)
  • XML External Entity Attacks (XXE)
  • Anything not listed but important
WHAT WE ARE NOT LOOKING FOR
  • Vulnerabilities requiring physical access to the victim's unlocked device
  • Denial of Service attacks
  • Brute Force attacks
  • Spam or Social Engineering techniques
  • Content Spoofing
  • Best practices concerns
  • Issues relating to Password Policy
  • Issues relating to token lifetime
  • User enumeration
  • Full-Path Disclosure on any property
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Reports related to missing security headers
  • CSV Injection
  • Reverse Tabnabbing
  • Bugs that do not represent any security risk
  • Vulnerabilities that are limited to unsupported browsers
HOW TO REPORT?
Please send all security reports to [email protected]