Bug Bounty Program

Liminal is one of the most trusted digital asset custody brands globally. Our platform is built on the industry’s best security measures, which are regularly tested and verified against violations.
At Liminal, security is at the heart of everything we do. Hence, we want to remain steadfast to our core with the “Bug Bounty Program”. With this program, we would like to reward your support and efforts if you can help us identify loopholes and plug them immediately without any errors. We encourage responsible disclosure of security vulnerabilities using this program. Please follow the policies to report the bugs. Breaching any program policies may lead to legal consequences for the violator.
Liminal Targets

Targets

https://vaults.lmnl.app

https://api.lmnl.app

https://prod-keys.lmnl.app

Reporting Format

  • Send your report to [email protected]
  • A detailed explanation of the issue, the potential impact of the vulnerability, and browser details used to perform the attack.
  • Mandatory fields
    • Subject: subject should state vulnerability class
    • Prerequisites: List of tools/libraries/OS required to perform the attack
    • Steps to reproduce: a step-by-step guideline to reproduce the attack or a video recording while performing the attack.

    Out of Scope

    • Any targets besides the one mentioned in the target list.
    • All third party applications used at Liminal
    • The Liminal marketing website www.lmnl.app

      Rules

      • Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
      • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
      • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
      • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
      • Please do not test for spam, social engineering, or denial of service issues. Such activities against Liminal employees and end-user are prohibited.
      • Your testing must not violate any law, or disrupt or compromise any data that is not your own.
      • By responsibly submitting your findings to Liminal in accordance with these guidelines, Liminal agrees not to pursue legal action against you. Liminal reserves all legal rights in the event of non-compliance with these guidelines.
      • Contact us immediately if you inadvertently encounter user or financial transactions data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Liminal.

          Qualifying vulnerabilities

          When reporting vulnerabilities, please consider 1 attack scenario/exploitability, and 2 the security impact of the bug. The following issues are considered in scope:

          • Balance Manipulation
          • User Account Take over
          • Cross-site Scripting (XSS)
          • Cross-Site Request Forgery (Only potential issues will be considered)
          • Server-Side Request Forgery (SSRF)
          • SQL Injection
          • Server-Side Remote Code Execution (RCE)
          • XML External Entity Attacks (XXE)
          • Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
          • Exposed Administrative Panels that don’t require login credentials
          • Directory Traversal Issues
          • Local File Disclosure (LFD) and Remote File Inclusion (RFI)
          • Gaining access to any of our servers
          • Leakage of PII Information of individual or other users.

          Non-Qualifying vulnerabilities

          • Any URIs leaked because a malicious app has permission to view URIs opened
          • Absence of code obfuscation
          • Self XSS
          • Login/logout cross-site request forgery
          • Sensitive data in URLs/request bodies when protected by TLS.
          • Use of outdated software/library versions.
          • Path disclosure in the binary
          • Snapshot/Pasteboard leakage
          • Run-time hacking exploits (exploits only possible in a jail-broken/rooted environment)
          • Reports from automated tools or scans (without accompanying demonstration of exploitability)
          • Bypassing client-side control mechanisms through scanners or tools or debuggers are considered to be known vulnerabilities, post-bypass, if there is any impact on users, account then it will be reviewed by the Liminal product security team.
          • Clickjacking and open-redirect are out of scope unless it has an impact on users’ data.
          • Rate limiting on our services like resending verification emails, inviting members, subscribing to newsletters, or any others
          • MFA before email verification allowed and MFA working after the password change
          • Registering an account with any email available
          • Password field accepting many characters
          • DMARC related issues
          • DNSSEC not set

            Reward Guidelines

            Every valid security bug qualifies for rewards based on the severity of the identified bug. The severity of the bug and the corresponding reward depends on the criticality of the issue and will be determined at the sole discretion of our product security team. All changes to the code and/or to the configuration ensures an entry to our Hall of Fame. All changes with higher severity levels get further rewarded with cash payouts (as per the below table) of up to $1000 depending on the severity of the bug as well as its immediate effect on the Liminal infrastructure.

            Liminal Reward Thresholds

            Reward Thresholds