Keeping user information safe and secure is a top priority and a core company value for us at Left Technologies Inc. and RightMesh AG (RightMesh). We welcome the contribution of external security researchers and look forward to rewarding them for their invaluable input aiding in the security of all users.
Left and RightMesh provide rewards to vulnerability reporters at our discretion. Reward amounts may vary depending upon the severity of the vulnerability reported and the quality of the report. Keep in mind that this is not a contest or competition. There are usual minimum rewards for critical vulnerabilities affecting the core Left and RightMesh applications, websites and servers.
We reserve the right to determine the reward amount for a vulnerability or even whether a reward should be granted. We typically reward lower amounts for vulnerabilities that require significant user interaction. We also may pay higher rewards for clever or severe vulnerabilities.
For now, the left.io and rightmesh.io websites and associated subdomains are eligible for the bounty program. We may still reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.
To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:
We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.
We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability, threat of releasing the vulnerability or any exposed data to the public, or attacking or threatening to attack our sites, users, employees, or other people or infrastructure associated with our companies or brands).
The following issues are outside the scope of our rewards program:
Here is a blog post on best practices on how to submit security reports
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with our bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Please submit a report to us at firstname.lastname@example.org before engaging in conduct that may be inconsistent with or unaddressed by this policy.
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won't apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. RightMesh, Left Technologies Inc. and related company employees and their family members are not eligible for bounties.
In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, RightMesh and Left Technologies Inc. reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes. This bug bounty policy was originally copied and modified from the fine example provided free by Dropbox.
All rewards are paid in the Canadian dollars.