lilylabs/disclosure
Submit

// security disclosure program

Find a bug.
Get honor.

Seriously, you can't take money to the grave. Honor stays for eternity.
As well as your name on the Wall of Fame ;)

Submit a Report →Read the rules
↓ scope

Scope

In scope

  • lilylabs.com (main marketing & dashboard)
  • *.lilylabs.dev (user-deployed hosting infrastructure)
  • api.lilylabs.com (REST + GraphQL endpoints)
  • CLI tool (lilylabs npm package)

Out of scope

  • Third-party services we integrate with
  • Social engineering or physical attacks
  • Denial-of-service or volumetric attacks
  • Vulnerabilities in user-deployed code

Not considered a vulnerability

  • Missing security headers without demonstrated impact
  • Email spoofing / SPF / DMARC / DKIM issues
  • Self-XSS
  • Clickjacking on pages without sensitive actions
  • Vulnerabilities requiring physical access or rooted devices
  • Reports from automated scanners without manual validation
  • Best-practice suggestions without security impact
  • DoS / DDoS / rate-limiting issues
  • Issues only affecting outdated browsers (>2 versions old)

Rewards

SeverityReward
CRITICAL1 year Pro plan + Wall of Fame + handwritten letter from the founder
HIGH6 months Pro plan + Wall of Fame
MEDIUM3 months Pro plan
LOW1 month Pro plan

Rewards are issued as platform credits on your LilyLabs account. Wall of Fame recognition is reserved for High and Critical reports. Final reward tier depends on impact, quality of report, and exploit reliability.

A pixel-art banker with stacks of reward bills on a saloon counter
A pixel-art Western standoff with two gunslingers facing off under a sunset sky

Rules of Engagement

  1. 01Test only against your own accounts and assets you control.
  2. 02Do not access, modify, or destroy other users' data.
  3. 03Provide clear reproduction steps. No proof-of-exploit beyond what's necessary.
  4. 04Give us reasonable time to fix before public disclosure (90 days default).
  5. 05First reporter of a unique, valid finding gets the reward.

Safe Harbor

We consider security research conducted in accordance with this policy as authorized under §202a-c German Criminal Code (Hackerparagraph). We will not pursue civil or criminal action against researchers who:

  • Make a good-faith effort to comply with this policy
  • Avoid privacy violations and data exfiltration beyond what's necessary to demonstrate the issue
  • Report findings promptly and don't disclose them publicly before we've had a reasonable chance to respond

If legal action is initiated by a third party against you for activities conducted under this policy, we will make it known that your actions were authorized.

Ready to submit? →
A pixel-art canyon trail at sunset with ant outlaws and a hanging lantern

// ready?

Got a finding?

One form. No account required. We respond to every valid submission.

Submit a Report →