RESPONSIBLE DISCLOSURE POLICY

The security of Loddi systems and data residing within them is crucial for us, and we treat potential security issues with a top priority. We do our best to protect the data of Loddi merchants and customers from security threats, and we encourage all users and security researchers to report security vulnerabilities discovered in our platform. We are committed to handle vulnerability reports in a timely manner and the greatest attention, provided that the following Policy is respected.

I. SCOPE

  1. Loddi’s vulnerability disclosure program covers the following products:

    1. Loddi Webr Application - https://MyLoddi.com/

  2. While Loddi develops a number of other products, we ask that all security researchers submit vulnerability reports only for the stated product list from point 1 above, subject to point 3 below.

  3. If you believe that you identified a critical risk vulnerability or potential data leakage which is not in scope from point 1 above, but still may negatively impact data of Loddi or its users, please do not hesitate to get in contact with us.

II. REPORTING AN ISSUE

  1. Please share privately the details of your security vulnerability by emailing our Security Team at [email protected].

  2. When reporting, make sure to include as much information as possible, including screenshots, detailed steps to reproduce the problem, the application versions that are affected and any other information that might help us to triage vulnerability more efficiently.

III. VULNERABILITY DISCLOSURE PROCEDURE

  1. You privately share the details of the security vulnerability with our Security Team by reporting an issue, as described in point II (1) above.

  2. We acknowledge your submission and verify the vulnerability. Our first answer generally comes under 2 business days.

  3. If the vulnerability is considered valid and in scope we work on a correction in collaboration with you to the extent you are comfortable with.

  4. Once a vulnerability is patched by our product team we notify you about the fix and recognize you in our Hall of Fame, if you agree.

IV. RULES OF ENGAGEMENT

  1. We ask you to obey the following rules at all times:

    1. do not view or store Loddi’s non-public data (except the data necessary to document and report the presence of a potential vulnerability);

    2. do not attempt to access or modify data that belongs to other Loddi user;

    3. do not attempt to execute denial of service attacks, or to compromise the reliability and availability of Loddi services;

    4. do not use scanners, automated tools or any other tools which may generate excessive traffic and negatively impact system’s availability;

    5. never attempt non-technical attacks such as social engineering, phishing, or physical attacks against anyone or any system;

    6. do not publicly disclose vulnerabilities without our prior consent (disclose only according to the disclosure procedure in point IV above).

V. WHAT TO REPORT

  1. When contacting us, please try to create a proof-of-concept attack (with screenshot if necessary) or a script exploiting the issue. If the proposed attack scenario turns out unrealistic, your report will probably be rejected with acknowledgement.

  2. Qualifying vulnerabilities:

    1. injection vulnerabilities;

    2. XSS vulnerabilities working in supported browsers;

    3. broken authentication or session management, allowing unauthorized access to sensitive data or account takeovers;

    4. vulnerabilities resulting in arbitrary code execution or reading sensitive files/data (RCE, LFI, RFI, SSRF, XXE);

    5. broken access control (privilege escalation, IDOR, CSRF);

    6. sensitive information disclosure (PII, booking data, secrets, sensitive API keys, configuration files);

    7. business logic vulnerabilities which allow to bypass intended business flow and cause harm to Loddi or its users;

    8. other vulnerabilities where you are able to clearly demonstrate a negative impact on Loddi’s data & system security.

  3. NON Qualifying vulnerabilities:

    1. suboptimal HTTP header configuration (unless you are able to prove a non-theoretical impact of such a configuration);

    2. suboptimal SSL/TLS configuration (unless you are able to prove a non-theoretical impact of such a configuration);

    3. XSS vulnerabilities working only in unsupported/deprecated browsers, or requiring an action which is unlikely to be taken by an aware user (e.g. pressing some key combination);

    4. user/e-mail enumeration vulnerabilities;

    5. file path disclosures or error handling issues, which do not carry significant risk;

    6. clickjacking or phishing attacks using social engineering tricks to abuse users, with the system working as intended;

    7. suboptimal password policies;

    8. non-permanent Denial of Service (DoS) and distributed DoS (DDoS) that maintain resource exhaustion (cpu/network/memory) via a sustained stream of requests/packets;

    9. mobile vulnerabilities related to insufficient reverse engineering protection or client-side vulnerabilities which require e.g. compromised device to be exploited

    10. disclosure of information that does not carry significant risks (e.g. server type);

    11. suboptimal configuration of e-mail security policies (e.g. DKIM, DMARC).

  4. If you have any concerns about the scope that should be reported to us, please do not hesitate to contact us.

VI. REWARD

  1. If you report a non-duplicate security issue that is confirmed to be impactful (see the section in point V (2) above), we will be happy to include your name in the Loddi Security Hall of Fame section, if you agree.

  2. If we consider that the vulnerability you reported has a major impact on Loddi security, such as critically sensitive information disclosure, remote access to core system authority, etc., you can be rewarded with an additional surprise.




Last updated April 17, 2025