Scope

leocare.eu
espace-client.leocare.eu
api.leocare.eu
leocare.eu
dash.leocare.fr

Responsible behavior & disclosure

Responsible disclosure only

Never publish any user data, do not publish the details of the vulnerability before it has been patched

Responsible behavior only

If you gain write access, do not modify or delete other users’ data, use accounts you created for this purpose ; similarly, if you gain read access, do not dump the whole dataset, two entries that you created are enough.

Do not perform any of the following operations

  • exploit any vulnerability (including 1-day and 0-day)
  • steal other customer data
  • delete customer data
  • Phishing
  • DDOS

Vulnerability types

In-Scope

  • Type-1 & Type-0 XSS on modern browsers
  • Type-2 XSS
  • SQL injection
  • shell command injection
  • memory corruption
  • disclosure of sensitive information
  • Code Execution at server side: BOF, IOF, IUF, UAF, Race Condition in our applications
    Web Command Injection: Shell Injection, XSS, SQL Injection, PHP injection, XXE, SSRF …
    path traversal, LFI, RFI, open redirect (assuming it leaks customer data),
    authentication or authorization flaw, or significant infoleak of customer data

Out-Of-Scope

  • missing header (except if proven way to gain additional priviledge on your OWN account)
  • DKIM, DMARC
  • Phishing
  • version disclosure
  • DDOS
  • Spam
  • Phishing
  • logout CSRF
  • ClickJacking
  • Directory Listing (unless you get server interpreted source code),
  • CSRF (unless affects the confidentiality or the availability of the user data)
  • Session Fixation
  • Missing Content-Type header unless you can upload a file
  • Cookie set without secure flag
  • no HSTS flag
  • Cache settings (unless you get code execution or privilege escalation or significant infoleak)
  • Path/Exception disclosure
  • Password auto-complete in Browser
  • password policy
Discover our Hall of Fame Acknowledging the individuals who made our services even more secure