Responsible Disclosure Policy
At LeakSnitch, the security of our users' data is our highest priority. We welcome the community's help in finding and responsibly disclosing vulnerabilities.
Our Commitment
LeakSnitch is built on the principle of radical transparency — every detection rule we write is publicly auditable. We extend that same transparency to our security posture. If you discover a security vulnerability in any LeakSnitch product, website, or infrastructure, we encourage you to report it to us promptly so we can investigate and remediate it.
Scope
This policy applies to:
- The LeakSnitch website and dashboard (leaksnitch.com and all subdomains)
- The LeakSnitch Chrome extension
- The LeakSnitch Cloudflare Workers (api.leaksnitch.com)
- Our API endpoints and supporting infrastructure
Bug Bounty Program
We operate a private bug bounty program for qualifying vulnerabilities. Rewards are determined based on the severity and impact of the reported issue:
- Critical (RCE, SQL injection, authentication bypass, data exfiltration) — Up to $5,000
- High (privilege escalation, IDOR, SSRF, stored XSS) — Up to $2,000
- Medium (reflected XSS, CSRF, sensitive data exposure) — Up to $500
- Low (information disclosure, missing security headers, minor CSP issues) — Up to $100
All reward amounts are at the discretion of LeakSnitch and are paid via bug bounty platform or direct transfer.
How to Report
Please email your findings to [email protected].
Include in your report:
- A clear description of the vulnerability
- Steps to reproduce (screenshots, video, or proof-of-concept code)
- The affected component (website, extension, Worker, etc.)
- Your estimated severity assessment
- Your contact information for follow-up
Our Promise to You
When you report in accordance with this policy:
- We will acknowledge receipt within 48 hours
- We will investigate and keep you informed of progress
- We will not pursue legal action against you for good-faith research
- We will credit you (with your permission) in our security acknowledgments
- We will notify you when the issue has been resolved
Guidelines
Please follow these guidelines when researching and reporting:
- Do not access or modify other users' data without their permission
- Do not perform attacks that could degrade service availability (DoS, DDoS, spam)
- Do not publicly disclose the vulnerability before we have resolved it
- Do not use automated vulnerability scanners against our production infrastructure without prior authorization
- Do not attempt to phish or socially engineer our employees or users
- Stop testing and notify us immediately if you encounter user data
Out of Scope
The following are considered out of scope and are not eligible for bounty rewards:
- Self-XSS or clickjacking on pages that do not handle sensitive actions
- Missing HTTP security headers that do not lead to exploitable vulnerabilities
- Rate limiting bypass on non-authentication endpoints
- Third-party services or dependencies (report those to the respective vendor)
- Social engineering attacks against LeakSnitch employees
- Physical security attacks against LeakSnitch facilities
Questions?
If you have any questions about this policy or the security of LeakSnitch products, please contact us at [email protected].