Locker Password Manager

• In-scope targets were changed to:
  • *.locker.io - website
  • Android App - android
  • IOS app - ios
  • Extension - desktop
  • Source code - source_code

• Description was changed

 - Do not access customer or employee personal information. If you accidentally access any of these, please stop testing and submit the vulnerability.
 - Do not degrade the user experience, disrupting production systems, or destroy data during security testing.
 - Use the WhiteHub report submission form to report vulnerability information to us.
-- Collect only the information necessary to demonstrate the vulnerability.

+- Collect only the necessary information to demonstrate the vulnerability.

 - Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the WhiteHub submission form (you can use third-party file sharing sites but you have to make sure they are not disclosed to anyone other than us).
 - When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
 - It is compulsory for you to send all questions and reports to WhiteHub so that we can ensure your benefits and avoid any unnecessary problems. Please do not directly contact the business.

• Description was changed

 - Authentication-related issues
 - Authorization-related issues
 - Data Exposure
+

 Focus areas include:
 - Account management (Create / edit / delete an account, login / logout, etc.)
 - Data management (Create / edit / delete data or a folder, access control issues)

• Currency was changed to USD

• Description was changed

 Violations will be dealt with by warning, refusing to reward or permanently banning the account on WhiteHub
 
 ## Qualifying vulnerabilities
-Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Focus areas include:

-

+Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

+- Remote Code Execution

+- SQL Injection (SQLi)

+- Business Logic

+- Mobile-specific API vulnerabilities

+- Cross Site Scripting (XSS)

+- Cross-Site Request Forgery (CSRF)

+- Authentication-related issues

+- Authorization-related issues

+- Data Exposure

+Focus areas include:

+- Account management (Create / edit / delete an account, login / logout, etc.)

+- Data management (Create / edit / delete data or a folder, access control issues)

+- Security features for passwords and authentication

+- Data storage and autofilling

+- Payment service

+- New user invitation

+- Biometric authentication

+- Data export / download / synchronization / sharing

+- Emergency / trusted contacts

 
 
 ## Non-qualifying vulnerabilities

• Description was changed

 ## Qualifying vulnerabilities
 Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Focus areas include:
 
-* Static marketing and support web pages

-* Signup process

-* Sign in / authentication

-* Web application

-    - Vaults must be created through the web application

-    - All vault and user management must be performed through the web application

-    - Admin Console

-    - Vault creation and sharing

-    - Team member invitation and approval

-    - Owners, admins and recovery

-    - Guest user invitation and removal for 

-    - User removal

-    - Account recovery

-    - Permissions and roles

-    - etc.

-* Native apps (Android, iOS, Extension)

-    Item creation through native applications

-    Item deletion through native applications

-    Item updates through native applications

-    Item sharing / copying through the native applications

 
 
 ## Non-qualifying vulnerabilities
 Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn a monetary reward:
-- Broken client-side access control mechanisms. While always helpful and appreciated to be reported on, client-side mechanisms generally run in an environment that is out of our control.

-- Attacks targeting jailbroken or rooted mobile devices. Users are explicitly notified about the security concerns of installing Locker Password Manager on such a device.

-- Links that are indexed by Google and/or url scan sites. Sometimes these links can affect customer data but only for a short period of time. These can appear due to manual scans done by users or by virus scanners and may stay indexed for a period of time.

+- Broken client-side access control mechanisms.

+- Attacks targeting jailbroken or rooted mobile devices.

+- Links that are indexed by Google and/or URL scan sites.

 - Two-Factor Authentication (2FA) not being necessary for page load autofill from loading the user’s local offline cache. If the user’s account settings permit offline access for 2FA and if the user has previously logged into the machine, offline mode will override 2FA and allow the web browser to run page load autofill. This will not happen if the login is done on a new device.
 - Attacks against endpoints which enable username enumeration or brute forcing of credentials (for example login forms) when those endpoints already have reasonable rate limits in place. Distributed attacks using multiple IP addresses are also excluded.
-- WebView-related issues in our in-app browser on Android and iOS. We are greatly limited by the platform and most of these bugs are bugs in the WebView itself. If you find an issue with our implementation/usage and there is a reasonable way to fix it, we may consider it.

-- Memory dumps or issues found by tools that read active or cached memory. Performing such an attack would require an already compromised system and a malicious actor with escalated privileges. Once such an attack can be performed on a system, there is no way in principle to protect other processes running on that system.

-- Attacks performed by a malicious application or browser extension installed on the system, as there is usually no way to protect against them on desktop platforms. On mobile we accept issues exploited by apps with limited privileges (e.g. if an app without any special permission could read the unencrypted passwords, that would typically be in scope).

+- WebView-related issues in our in-app browser on Android and iOS. If you find an issue with our implementation/usage and there is a reasonable way to fix it, we may consider it.

+- Memory dumps or issues found by tools that read active or cached memory. Performing such an attack would require an already compromised system and a malicious actor with escalated privileges. 

+- Attacks performed by a malicious application or browser extension installed on the system. On mobile we accept issues exploited by apps with limited privileges (e.g. if an app without any special permission could read the unencrypted passwords, that would typically be in scope).

 - Insider threats.
-- Denial of service, spam, or phishing attacks. These attacks are considered abusive and can harm our customers.

-- Limitations around sharing which are documented on our website. Sharing has technical limitations so please check the description of explicitly mentioned ones on.

-- Attacks that rely on/have as a prerequisite successfully placing a man in the middle between our servers and the client. We take precautions in order to make these attacks difficult or infeasible (e.g. using HTTPS exclusively), but some aspects are out of our control and thereby excluded from eligibility.

+- Denial of service, spam, or phishing attacks.

+- Limitations around sharing which are documented on our website.

+- Attacks that rely on/have as a prerequisite successfully placing a man in the middle between our servers and the client. 

 - "Missing" security practices without a realistic attack scenario (e.g. missing HTTP headers, missing certificate pinning) or in general questioning design decisions.

• Description was changed

 Violations will be dealt with by warning, refusing to reward or permanently banning the account on WhiteHub
 
 ## Qualifying vulnerabilities
-Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

+Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Focus areas include:

 
-- Remote Code Execution

-- SQL Injection (SQLi)

-- Business Logic

-- Mobile-specific API vulnerabilities

-- Cross Site Scripting (XSS)

-- Cross-Site Request Forgery (CSRF)

-- Authentication-related issues

-- Authorization-related issues

-- Data Exposure

+* Static marketing and support web pages

+* Signup process

+* Sign in / authentication

+* Web application

+    - Vaults must be created through the web application

+    - All vault and user management must be performed through the web application

+    - Admin Console

+    - Vault creation and sharing

+    - Team member invitation and approval

+    - Owners, admins and recovery

+    - Guest user invitation and removal for 

+    - User removal

+    - Account recovery

+    - Permissions and roles

+    - etc.

+* Native apps (Android, iOS, Extension)

+    Item creation through native applications

+    Item deletion through native applications

+    Item updates through native applications

+    Item sharing / copying through the native applications

+

 
 ## Non-qualifying vulnerabilities
 Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn a monetary reward:
-

-- URL redirection

-- Bugs requiring exceedingly unlikely user interaction

-- Logout cross-site request forgery 

-- Flaws affecting the users of out-of-date browsers and plugins.

-- Presence of banner or version information

-- Email spoofing

-- DDoS
+- Broken client-side access control mechanisms. While always helpful and appreciated to be reported on, client-side mechanisms generally run in an environment that is out of our control.

+- Attacks targeting jailbroken or rooted mobile devices. Users are explicitly notified about the security concerns of installing Locker Password Manager on such a device.

+- Links that are indexed by Google and/or url scan sites. Sometimes these links can affect customer data but only for a short period of time. These can appear due to manual scans done by users or by virus scanners and may stay indexed for a period of time.

+- Two-Factor Authentication (2FA) not being necessary for page load autofill from loading the user’s local offline cache. If the user’s account settings permit offline access for 2FA and if the user has previously logged into the machine, offline mode will override 2FA and allow the web browser to run page load autofill. This will not happen if the login is done on a new device.

+- Attacks against endpoints which enable username enumeration or brute forcing of credentials (for example login forms) when those endpoints already have reasonable rate limits in place. Distributed attacks using multiple IP addresses are also excluded.

+- WebView-related issues in our in-app browser on Android and iOS. We are greatly limited by the platform and most of these bugs are bugs in the WebView itself. If you find an issue with our implementation/usage and there is a reasonable way to fix it, we may consider it.

+- Memory dumps or issues found by tools that read active or cached memory. Performing such an attack would require an already compromised system and a malicious actor with escalated privileges. Once such an attack can be performed on a system, there is no way in principle to protect other processes running on that system.

+- Attacks performed by a malicious application or browser extension installed on the system, as there is usually no way to protect against them on desktop platforms. On mobile we accept issues exploited by apps with limited privileges (e.g. if an app without any special permission could read the unencrypted passwords, that would typically be in scope).

+- Insider threats.

+- Denial of service, spam, or phishing attacks. These attacks are considered abusive and can harm our customers.

+- Limitations around sharing which are documented on our website. Sharing has technical limitations so please check the description of explicitly mentioned ones on.

+- Attacks that rely on/have as a prerequisite successfully placing a man in the middle between our servers and the client. We take precautions in order to make these attacks difficult or infeasible (e.g. using HTTPS exclusively), but some aspects are out of our control and thereby excluded from eligibility.

+- "Missing" security practices without a realistic attack scenario (e.g. missing HTTP headers, missing certificate pinning) or in general questioning design decisions.

• In-scope targets were changed to:
  • *.locker.io - website
  • Android App - android
  • IOS app - ios
  • Extension - desktop

• In-scope targets were changed to:
  • Source Code - source_code
  • *.locker.io - website
  • API - api
  • Android App - android
  • Extension - source_code
  • IOS app - ios

• Description was changed

+## Required policies

+We require that all researchers:

+

+- Do not access customer or employee personal information. If you accidentally access any of these, please stop testing and submit the vulnerability.

+- Do not degrade the user experience, disrupting production systems, or destroy data during security testing.

+- Use the WhiteHub report submission form to report vulnerability information to us.

+- Collect only the information necessary to demonstrate the vulnerability.

+- Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the WhiteHub submission form (you can use third-party file sharing sites but you have to make sure they are not disclosed to anyone other than us).

+- When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.

+- It is compulsory for you to send all questions and reports to WhiteHub so that we can ensure your benefits and avoid any unnecessary problems. Please do not directly contact the business.

+- **Public discussion about this program is not permitted**

+- **Your report is not allowed to disclose publicly without our consent**. In case of the agreement reached, we can disclose your report on WhiteHub.

+

+Violations will be dealt with by warning, refusing to reward or permanently banning the account on WhiteHub

+

+## Qualifying vulnerabilities

+Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

+

+- Remote Code Execution

+- SQL Injection (SQLi)

+- Business Logic

+- Mobile-specific API vulnerabilities

+- Cross Site Scripting (XSS)

+- Cross-Site Request Forgery (CSRF)

+- Authentication-related issues

+- Authorization-related issues

+- Data Exposure

+

+## Non-qualifying vulnerabilities

+Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn a monetary reward:

+

+- URL redirection

+- Bugs requiring exceedingly unlikely user interaction

+- Logout cross-site request forgery 

+- Flaws affecting the users of out-of-date browsers and plugins.

+- Presence of banner or version information

+- Email spoofing

+- DDoS

• In-scope targets were changed to:
  • Source Code - source_code
  • *.locker.io - website
  • API - api
  • Android App - android
  • Extension: - source_code
  • IOS app - ios