[{"id":3573015,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action for covered activities, and hope that we can compensate you for your efforts to make our products more secure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create *in our non-production environment* are likely OK as long as they don't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control (Intercom chat box, Disqus blog comments, Google Analytics, etc).\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc. including attacks that require self-exploit.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n* Non-HTTPS links or links to dead websites.\n\n## Disclosure\nIn the interest of transparency, it is our policy to *at least* ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we're happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we'll also do Full Disclosure if there is a possibility that we've been unfair to a researcher (marked as Spam, Locked Report, etc).\n\n## Duplicates\nWe want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy by legitimate security researchers. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute \"authorized\" conduct under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA) and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against legitimate security researchers for circumventing the technological measures we have used to protect the applications in scope.\n\nIn case of any conflict between the terms of this policy and our [Terms of Service](https://www.legalrobot.com/terms/), this policy will prevail.\n\nIf legal action is initiated by a third party against you and you are a legitimate security researcher that has complied with this policy, we will make it known that your actions were conducted in compliance with this policy. Contact us at [security@legalrobot.com](mailto:security@legalrobot.com) for assistance.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nYou are expected, as always, to comply with all applicable laws. \n\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n## Questions\nAlways feel free to ping us at security@legalrobot.com if you have any questions or want to check if we already know about an issue before you go to the trouble of creating a full PoC and bug report on HackerOne.\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-04T18:26:53.622Z"},{"id":3573014,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action for covered activities, and hope that we can compensate you for your efforts to make our products more secure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create *in our non-production environment* are likely OK as long as they don't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control (Intercom chat box, Disqus blog comments, Google Analytics, etc).\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc. including attacks that require self-exploit.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n* Non-HTTPS links or links to dead websites.\n\n## Disclosure\nIn the interest of transparency, it is our policy to *at least* ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we're happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we'll also do Full Disclosure if there is a possibility that we've been unfair to a researcher (marked as Spam, Locked Report, etc).\n\n## Duplicates\nWe want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n## Safe Harbor\nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute \"authorized\" conduct under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA) and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against legitimate security researchers for circumventing the technological measures we have used to protect the applications in scope.\n\nIn case of any conflict between the terms of this policy and our [Terms of Service](https://www.legalrobot.com/terms/), this policy will prevail.\n\nIf legal action is initiated by a third party against you and you are a legitimate security researcher that has complied with this policy, we will make it known that your actions were conducted in compliance with this policy. Contact us at [security@legalrobot.com](mailto:security@legalrobot.com) for assistance.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nYou are expected, as always, to comply with all applicable laws. \n\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n## Questions\nAlways feel free to ping us at security@legalrobot.com if you have any questions or want to check if we already know about an issue before you go to the trouble of creating a full PoC and bug report on HackerOne.\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-04T18:25:14.089Z"},{"id":3573012,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action for covered activities, and hope that we can compensate you for your efforts to make our products more secure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create *in our non-production environment* are likely OK as long as they don't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control (Intercom chat box, Disqus blog comments, Google Analytics, etc).\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc. including attacks that require self-exploit.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n* Non-HTTPS links or links to dead websites.\n\n## Disclosure\nIn the interest of transparency, it is our policy to *at least* ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we're happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we'll also do Full Disclosure if there is a possibility that we've been unfair to a researcher (marked as Spam, Locked Report, etc).\n\n## Duplicates\nWe want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n## Safe Harbor \u0026 \nTo encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to constitute \"authorized\" conduct under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA) and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against legitimate security researchers for circumventing the technological measures we have used to protect the applications in scope.\n\nIn case of any conflict between the terms of this policy and our [Terms of Service](https://www.legalrobot.com/terms/), this policy will prevail.\n\nIf legal action is initiated by a third party against you and you are a legitimate security researcher that has complied with this policy, we will make it known that your actions were conducted in compliance with this policy. Contact us at [security@legalrobot.com](mailto:security@legalrobot.com) for assistance.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nYou are expected, as always, to comply with all applicable laws. \n\nPlease submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n## Questions\nAlways feel free to ping us at security@legalrobot.com if you have any questions or want to check if we already know about an issue before you go to the trouble of creating a full PoC and bug report on HackerOne.\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-04T18:17:36.766Z"},{"id":3562238,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action for covered activities, and hope that we can compensate you for your efforts to make our products more secure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create *in our non-production environment* are likely OK as long as they don't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control (Intercom chat box, Disqus blog comments, Google Analytics, etc).\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc. including attacks that require self-exploit.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n* Non-HTTPS links or links to dead websites.\n\n## Disclosure\nIn the interest of transparency, it is our policy to *at least* ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we're happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we'll also do Full Disclosure if there is a possibility that we've been unfair to a researcher (marked as Spam, Locked Report, etc).\n\n## Duplicates\nWe want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n## Questions\nAlways feel free to ping us at security@legalrobot.com if you have any questions or want to check if we already know about an issue before you go to the trouble of creating a full PoC and bug report on HackerOne.\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-24T19:31:03.637Z"},{"id":3562235,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create *in our non-production environment* are likely OK as long as they don't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control (Intercom chat box, Disqus blog comments, Google Analytics, etc).\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc. including attacks that require self-exploit.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n* Non-HTTPS links or links to dead websites.\n\n## Disclosure\nIn the interest of transparency, it is our policy to *at least* ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we're happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we'll also do Full Disclosure if there is a possibility that we've been unfair to a researcher (marked as Spam, Locked Report, etc).\n\n## Duplicates\nWe want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n## Questions\nAlways feel free to ping us at security@legalrobot.com if you have any questions or want to check if we already know about an issue before you go to the trouble of creating a full PoC and bug report on HackerOne.\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-24T18:37:24.088Z"},{"id":3562020,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create *in our non-production environment* are likely OK as long as they don't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control (Intercom chat box, Disqus blog comments, Google Analytics, etc).\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc. including attacks that require self-exploit.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n* Non-HTTPS links or links to dead websites.\n\n## Disclosure\nIn the interest of transparency, it is our policy to *at least* ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we're happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we'll also do Full Disclosure if there is a possibility that we've been unfair to a researcher (marked as Spam, Locked Report, etc).\n\n## Duplicates\nWe want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-20T23:09:01.825Z"},{"id":3560105,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create *in our non-production environment* are likely OK as long as they don't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control (Intercom chat box, Disqus blog comments, Google Analytics, etc).\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc. including attacks that require self-exploit.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n\n## Disclosure\nIn the interest of transparency, it is our policy to *at least* ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we're happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we'll also do Full Disclosure if there is a possibility that we've been unfair to a researcher (marked as Spam, Locked Report, etc).\n\n## Duplicates\nWe want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-09-06T19:28:26.076Z"},{"id":3559796,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create *in our non-production environment* are likely OK as long as they don't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc. including attacks that require self-exploit\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n\n## Disclosure\nIn the interest of transparency, it is our policy to *at least* ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we're happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we'll also do Full Disclosure if there is a possibility that we've been unfair to a researcher (marked as Spam, Locked Report, etc).\n\n## Duplicates\nWe want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-31T19:56:53.642Z"},{"id":3559756,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create *in our non-production environment* are likely OK as long as they don't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n\n## Disclosure\nIn the interest of transparency, it is our policy to *at least* ask for disclosure on all reports, but it is not necessary for Informative/Not Applicable/Duplicate, only Resolved reports - even then, we're happy to do Limited Disclosure or delay for a good reason. In order to hold ourselves to a high standard, we'll also do Full Disclosure if there is a possibility that we've been unfair to a researcher (marked as Spam, Locked Report, etc).\n\n## Duplicates\nWe want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-30T17:30:45.564Z"},{"id":3559609,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. Also, because we want to show that we respect your work, we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a distributed denial-of-service (DDoS) attack. Targeted DoS attacks against a specific user account that you create *in our non-production environment* are likely OK as long as they don't degrade service or get us blacklisted with our service providers. If you're unsure, just ask us at hello@legalrobot.com.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use NoSQL databases (i.e. try NoSQL injection attacks, not SQL injection - it just won't work).\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, launch a DDoS attack, or anything else that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-25T22:51:35.763Z"},{"id":3559279,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. Also, because we want to show that we respect your work, we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* **Don't ask for updates on a report or cross-post.** Doing this just adds to the noise and annoys our team. Reports with excessive status request messages will be closed without a bounty or sent to mediation.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We primarily use NoSQL databases. Try NoSQL injection attacks before SQL injection.\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-17T23:39:04.987Z"},{"id":3558792,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. Also, because we want to show that we respect your work, we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* Please don't ask for updates on a report.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We primarily use NoSQL databases. Try NoSQL injection attacks before SQL injection.\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-08T01:45:23.799Z"},{"id":3558787,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. \n\nAll bug bounty programs get duplicate reports. We want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* Please don't ask for updates on a report.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We primarily use NoSQL databases. Try NoSQL injection attacks before SQL injection.\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happily [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty of $20-$???? for legitimate, non-duplicate security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-08T00:37:23.099Z"},{"id":3558786,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. \n\nAll bug bounty programs get duplicate reports. We want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* Please don't ask for updates on a report.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We primarily use NoSQL databases. Try NoSQL injection attacks before SQL injection.\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we will happy to [acknowledge your contribution](/legalrobot/thanks). We also offer a monetary bounty for security issues reported through HackerOne, provided you follow these rules. More serious issues will be rewarded appropriately.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-08T00:35:51.637Z"},{"id":3558785,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. \n\nAll bug bounty programs get duplicate reports. We want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* Please don't ask for updates on a report.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We primarily use NoSQL databases. Try NoSQL injection attacks before SQL injection.\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* It's easier for us to research issues when you include the version number and build in your report (check the bottom left corner in our non-production environment).\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc.\n* Header injection, unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for security issues, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-08T00:32:44.291Z"},{"id":3558784,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. \n\nAll bug bounty programs get duplicate reports. We want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* Please don't ask for updates on a report.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability.\n* Anything that requires physical access to a device or network, special permissions (e.g. tapjacking), rootkits, etc.\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc).\n* Social engineering, phishing, spear phishing, etc.\n* Host header injections unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for security issues, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-08T00:28:52.571Z"},{"id":3558783,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. \n\nAll bug bounty programs get duplicate reports. We want to show that we respect your work, so we will only close a report as a Duplicate with a link to the original report or to a previous public disclosure.\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production environment at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* Please don't ask for updates on a report.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n* When possible, we post about unresolved bugs here: [app.legalrobot.com/roadmap](https://app.legalrobot.com/roadmap). Check the \"Known Issues\" section before submitting a report.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability\n* Anything that requires physical access to a device or network, rootkits, or special permissions (e.g. tapjacking)\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc)\n* Social engineering, phishing, spear phishing, etc.\n* Host header injections unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for security issues, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-08T00:27:35.913Z"},{"id":3558782,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. \n\nAll bug bounty programs get duplicate reports. We will only close a report as a Duplicate with a link to the original report (as quick as we can, so you can move on to other issues).\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production servers at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain.\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability\n* Anything that requires physical access to a device or network, rootkits, or special permissions (e.g. tapjacking)\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc)\n* Social engineering, phishing, spear phishing, etc.\n* Host header injections unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens\n* [Temporary] New reports of missing rate-limiting on Meteor methods. We recognize this is a problem and we're currently working our way through several hundred method calls.\n* [Temporary] New reports of authorization bypass on sensitive methods. We recognize this is a problem and we're currently working our way through a couple dozen sensitive method calls.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for security issues, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-08T00:18:42.731Z"},{"id":3558781,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. \n\nAll bug bounty programs get duplicate reports. We will only close a report as a Duplicate with a link to the original report (as quick as we can, so you can move on to other issues).\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production servers at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability\n* Anything that requires physical access to a device or network, rootkits, or special permissions (e.g. tapjacking)\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc)\n* Social engineering, phishing, spear phishing, etc.\n* Host header injections unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens\n* [Temporary] New reports of missing rate-limiting on Meteor methods. We recognize this is a problem and we're currently working our way through several hundred method calls.\n* [Temporary] New reports of authorization bypass on sensitive methods. We recognize this is a problem and we're currently working our way through a couple dozen sensitive method calls.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for security issues, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-08T00:17:12.420Z"},{"id":3558780,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. As long as your research stays within the bounds of this policy, we welcome the dialogue, promise not to take legal action, and hope that we can compensate you for your efforts to make our products more secure.\n\nIt is our policy to request *at least* limited disclosure on all Resolved reports, but we'll work with you if there is a legitimate reason to delay disclosure. \n\nWe do get quite a few duplicate reports. If you submit a duplicate, we will always link to the original report (as quick as we can, so you can move on to other issues).\n\n##Rules\n* **Use good judgment.** If you find a vulnerability, don't run it in production. Instead, use our non-production servers at legalrobot-uat.com.\n* Again, **don't run tests against our production domain, legalrobot.com.**\n* Do not destroy or degrade our performance, or violate the privacy or integrity of users or their data. \n* **Never** attempt to view, modify, or damage data belonging to others in production (do this on legalrobot-uat.com).\n* Do not interact with other users.\n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n\n## Helpful Hints\n* Our www subdomain is all static content, focus on the app subdomain\n* Bounties for access to other users' data are worth the most. DO NOT ATTEMPT THIS IN PRODUCTION.\n* We don't use cookie-based authentication.\n* We use [Stripe](https://stripe.com) as our payment processor. See the [testing documentation](https://stripe.com/docs/testing) for test credit card numbers that will result in a successful transaction in our non-production environment.\n* Disputing a *live* Credit Card transaction will get you immediately banned and no longer exempted from legal action.\n\n##Destructive/Invasive Attacks\nAll of the data in our non-production environment (legalrobot-uat.com) is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers. Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible there. Issues that *we* cannot reproduce in production (legalrobot.com) will not be accepted.\n\n##Ineligible Reports\n* Anything from an automated scan, anything that is already public, or anything not under our control.\n* Version disclosure, unless it leads to a vulnerability\n* Anything that requires physical access to a device or network, rootkits, or special permissions (e.g. tapjacking)\n* Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc)\n* Social engineering, phishing, spear phishing, etc.\n* Host header injections unless you can show how they can lead to stealing user data.\n* Login/logout CSRF, or lack of CSRF tokens\n* [Temporary] New reports of missing rate-limiting on Meteor methods. We recognize this is a problem and we're currently working our way through several hundred method calls.\n* [Temporary] New reports of authorization bypass on sensitive methods. We recognize this is a problem and we're currently working our way through a couple dozen sensitive method calls.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in).\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for security issues, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-08T00:14:44.475Z"},{"id":3543951,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, some of our products are in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nIn the words of Cesar Millan: \"no talk, no touch, no eye contact\". Basically, use good judgment (except as outlined below in \"Destructive/Invasive Attacks\").\n* Clearly identify your account by adding something like \"H1\", \"attacker\", \"hacker\", \"test\", etc. to your name so we don't terminate your account when we see suspicious activity.\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must *never* attempt to view, modify, or damage data belonging to others in production (though, we encourage these attempts in our non-production environment).\n* Do not interact with other users without their prior consent.\n* Do not attempt a denial-of-service attack on our production environment (legalrobot.com).\n* Do not perform any research or testing in violation of law.\n\nAs long as your research stays within the bounds of the criteria in this policy, we welcome the dialogue and promise not to take legal action.\n\n## Report Focus \u0026 Tips\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\nOur www subdomain only hosts static, non-sensitive content like our blog and marketing pages, so many attacks against this subdomain are unlikely to result in a bounty. We suggest that you focus your efforts on our app subdomain.\n\nWe proudly use [Stripe](https://stripe.com) as our payment processor. To simulate a payment and gain access to a paid-only section of our app, we suggest you work in our non-production environment (legalrobot-uat.com) and check out the [Stripe testing documentation](https://stripe.com/docs/testing) which has test credit card numbers.\n\nIf you accidentally perform a live transaction, just let us know at hello@legalrobot.com and we'll make things right. Security researchers that dispute a live transaction will be immediately banned from our HackerOne program and will no longer be exempted from legal action. We may take further action outside of this policy (but always in accordance with our [terms of service](https://www.legalrobot.com/terms/)).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers (keep any DoS attempts short... like, under a few minutes). Because legalrobot-uat.com is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not on legalrobot.com will not be accepted.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software, scripts, or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Security issues in 3rd party components (Disqus, Intercom, Stripe), unless they present a unique threat to our service. Usually, these issues should be reported to the company that makes the component. We're more than happy to hear about these issues, but they will not be eligible for a bounty (reputation only).\n* Use of a known-vulnerable library without evidence of exploitability\n* Disclosure of software version, server IP, or other non-sensitive information. We're happy to accept reports on this, but reports will be closed as informative without a demonstration of an exploit using the information.\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc)\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing public key pins\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies (we don't use cookie-based auth)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\n* Login/logout CSRF\n* [Temporary] New reports of missing rate-limiting on Meteor methods. We recognize this is a problem and we're currently working our way through several hundred method calls.\n* [Temporary] New reports of authorization bypass on sensitive methods. We recognize this is a problem and we're currently working our way through a couple dozen sensitive method calls.\n\nYou must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\n## Questions\nFor any questions or clarification on this policy, feel free to email us at hello@legalrobot.com or ask us inside the app through the Intercom chat window (bottom right corner when logged in). All security reports must be performed through HackerOne so we can track reports and compensate you.\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for security issues, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-31T00:43:05.010Z"},{"id":3543950,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, some of our products are in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgment (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of the criteria in this policy, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n## Report Focus\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\nOur www subdomain only hosts static, non-sensitive content like our blog and marketing pages, so many attacks against this subdomain are unlikely to result in a bounty. We suggest that you focus your efforts on our app subdomain.\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers (keep any DoS attempts short... like, under a few minutes). If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing and we'll do our best to keep the environment operational. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software, scripts, or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Security issues in 3rd party components (Disqus, Intercom, Stripe), unless they present a unique threat to our service. Usually, these issues should be reported to the company that makes the component. We're more than happy to hear about these issues, but they will not be eligible for a bounty (reputation only).\n* Use of a known-vulnerable library without evidence of exploitability\n* Disclosure of software version, server IP, or other non-sensitive information. We're happy to accept reports on this, but reports will be closed as informative without a demonstration of an exploit using the information.\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc)\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing public key pins\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies (we don't use cookie-based auth)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\n* Login/logout CSRF\n* [Temporary] New reports of missing rate-limiting on Meteor methods. We recognize this is a problem and we're currently working our way through several hundred method calls.\n* [Temporary] New reports of authorization bypass on sensitive methods. We recognize this is a problem and we're currently working our way through a couple dozen sensitive method calls.\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-30T23:59:33.906Z"},{"id":3539826,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgment (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly accessible (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers (keep any DoS attempts short... like, under a few minutes). If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. Since we use those tools ourselves, we likely know about those issues anyway, so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time and yours because we _obviously_ sanitize inputs. Related: don't deface our blog comments with XSS attempts - we use Disqus for comments, so we wouldn't have any control over those components anyway.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software, scripts, or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Security issues in 3rd party components (Disqus, Intercom, Stripe), unless they present a unique threat to our service. Usually, these issues should be reported to the company that makes the component. We're more than happy to hear about these issues, but they will not be eligible for a bounty (reputation only).\n* Use of a known-vulnerable library without evidence of exploitability\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers, platforms, or crypto (i.e. TLS BEAST)\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing public key pins\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies (we don't use cookie-based auth)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n* [Temporary] New reports of missing rate-limiting on Meteor methods. We recognize this is a problem and we're currently working our way through several hundred method calls.\n* [Temporary] New reports of authorization bypass on sensitive methods. We recognize this is a problem and we're currently working our way through a couple dozen sensitive method calls.\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-02T19:53:35.154Z"},{"id":3539825,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgment (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly accessible (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers (keep any DoS attempts short... like, under a few minutes). If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. Since we use those tools ourselves, we likely know about those issues anyway, so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time and yours because we _obviously_ sanitize inputs. Related: don't deface our blog comments with XSS attempts - we use Disqus for comments, so we wouldn't have any control over those components anyway.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software, scripts, or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Security issues in 3rd party components (Disqus, Intercom, Stripe), unless they present a unique threat to our service. Usually, these issues should be reported to the company that makes the component. We're more than happy to hear about these issues, but they will not be eligible for a bounty (reputation only).\n* Use of a known-vulnerable library without evidence of exploitability\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers, platforms, or crypto (i.e. TLS BEAST)\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing public key pins\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies (we don't use cookie-based auth)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n* [Temporary] New reports of missing rate-limiting on Meteor methods. We recognize this is a problem and we're currently working our way through several hundred method calls.\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-02T19:48:44.722Z"},{"id":3539824,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgment (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly accessible (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers (keep any DoS attempts short... like, under a few minutes). If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. Since we use those tools ourselves, we likely know about those issues anyway, so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time and yours because we _obviously_ sanitize inputs. Related: don't deface our blog comments with XSS attempts - we use Disqus for comments, so we wouldn't have any control over those components anyway.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software, scripts, or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Security issues in 3rd party components (Disqus, Intercom, Stripe), unless they present a unique threat to our service. Usually, these issues should be reported to the company that makes the component. We're more than happy to hear about these issues, but they will not be eligible for a bounty (reputation only).\n* Use of a known-vulnerable library without evidence of exploitability\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers, platforms, or crypto (i.e. TLS BEAST)\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing public key pins\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies (we don't use cookie-based auth)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n* [Temporary] Reports of missing rate-limiting on Meteor methods. We recognize this is a problem and we're currently working our way through several hundred method calls.\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-02T19:48:02.638Z"},{"id":3539596,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgment (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly accessible (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers (keep any DoS attempts short... like, under a few minutes). If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. Since we use those tools ourselves, we likely know about those issues anyway, so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time and yours because we _obviously_ sanitize inputs. Related: don't deface our blog comments with XSS attempts - we use Disqus for comments, so we wouldn't have any control over those components anyway.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software, scripts, or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Security issues in 3rd party components (Disqus, Intercom, Stripe), unless they present a unique threat to our service. Usually, these issues should be reported to the company that makes the component. We're more than happy to hear about these issues, but they will not be eligible for a bounty (reputation only).\n* Use of a known-vulnerable library without evidence of exploitability\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers, platforms, or crypto (i.e. TLS BEAST)\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing public key pins\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies (we don't use cookie-based auth)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-28T18:16:38.342Z"},{"id":3539595,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly accessible (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch an extended denial-of-service or similar attack that could disrupt or get us blacklisted with our service providers (keep any DoS attempts short... like, under a few minutes). If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. Since we use those tools ourselves, we likely know about those issues anyway, so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time and yours because we _obviously_ sanitize inputs. Related: don't deface our blog comments with XSS attempts - we use Disqus for comments, so we wouldn't have any control over those components anyway.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software, scripts, or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Security issues in 3rd party components (Disqus, Intercom, Stripe), unless they present a unique threat to our service. Usually, these issues should be reported to the company that makes the component. We're more than happy to hear about these issues, but they will not be eligible for a bounty (reputation only).\n* Use of a known-vulnerable library without evidence of exploitability\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers, platforms, or crypto (i.e. TLS BEAST)\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing public key pins\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies (we don't use cookie-based auth)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-28T18:16:25.379Z"},{"id":3539594,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly accessible (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers. If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time and yours because we _obviously_ sanitize inputs. Related: don't deface our blog comments with XSS attempts - we use Disqus for comments, so we wouldn't have any control over those components anyway.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software, scripts, or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Security issues in 3rd party components (Disqus, Intercom, Stripe), unless they present a unique threat to our service. Usually, these issues should be reported to the company that makes the component. We're more than happy to hear about these issues, but they will not be eligible for a bounty (reputation only).\n* Use of a known-vulnerable library without evidence of exploitability\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers, platforms, or crypto (i.e. TLS BEAST)\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing public key pins\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies (we don't use cookie-based auth)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-28T18:09:39.060Z"},{"id":3538672,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly accessible (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers. If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time and yours because we _obviously_ sanitize inputs. Related: don't deface our blog comments with XSS attempts - we use Disqus for comments, so we wouldn't have any control over those components anyway.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software, scripts, or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Use of a known-vulnerable library without evidence of exploitability\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers, platforms, or crypto (i.e. TLS BEAST)\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing public key pins\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies (we don't use cookie-based auth)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-08T05:43:15.435Z"},{"id":3538671,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly readable (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers. If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time and yours because we _obviously_ sanitize inputs. Related: don't deface our blog comments with XSS attempts - we use Disqus for comments, so we wouldn't have any control over those components anyway.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software, scripts, or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Use of a known-vulnerable library without evidence of exploitability\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers, platforms, or crypto (i.e. TLS BEAST)\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing public key pins\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies (we don't use cookie-based auth)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-08T05:41:38.929Z"},{"id":3538670,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly readable (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers. If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time and yours because we _obviously_ sanitize inputs.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers or platforms\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing security headers which do not lead directly to a vulnerability\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies\n* Missing http security headers (unless you deliver a proof of concept that leverages their absence)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Self-XSS (we require evidence on how the XSS can be used to attack another user)\n* XSS on any site other than www.legalrobot.com or app.legalrobot.com.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity unless they can be used to take over an account\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-08T05:33:28.402Z"},{"id":3538669,"new_policy":"If you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive/Invasive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly readable (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe provide a non-production environment (legalrobot-uat.com) that you may use for destructive and invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers. If this server is offline *send us a note* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible. To be clear, issues that exist on the legalrobot-uat.com domain but not legalrobot.com will not be accepted.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time and yours because we _obviously_ sanitize form input.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers or platforms\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing security headers which do not lead directly to a vulnerability\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies\n* Missing http security headers (unless you deliver a proof of concept that leverages their absence)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Self-XSS (we require evidence on how the XSS can be used to attack another user)\n* XSS on any site other than www.legalrobot.com or app.legalrobot.com.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity unless they can be used to take over an account\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-08T05:32:46.210Z"},{"id":3538418,"new_policy":"##The product is currently in beta and there is some functionality that is incomplete. \nActive development is underway so things are changing, a lot. Both the Hacker1 program and the app are currently in invite-only mode. For now, our primary concern is keeping information private rather than policing user-submitted content, etc. Therefore, exploits that let allow privilege escalation or access to other user's content are higher priority.\n\nIf you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly readable (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the legalrobot.ideas.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe have made available a non-production environment (legalrobot-uat.com) that you may use for potentially destructive attacks and other invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers like AWS. When we are not actively doing testing, we usually shut off this server, so before initiating testing on this environment, we ask that you *send us a quick email* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time because we have to go clean up the database, and it's a waste of your time because we _obviously_ sanitize form input.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Already public issues related to software or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Attacks requiring physical access to a user's device or network\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device\n* Vulnerabilities affecting users of outdated browsers or platforms\n* Social engineering of our staff or contractors, phishing, spear phishing, etc.\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing security headers which do not lead directly to a vulnerability\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies\n* Missing http security headers (unless you deliver a proof of concept that leverages their absence)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n* Reports of spam (i.e. any report involving ability to send emails without rate limits)\n* Self-XSS (we require evidence on how the XSS can be used to attack another user)\n* XSS on any site other than www.legalrobot.com or app.legalrobot.com.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity unless they can be used to take over an account\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-02T21:47:46.225Z"},{"id":3513185,"new_policy":"##The product is currently in beta and there is some functionality that is incomplete. \nActive development is underway so things are changing, a lot. Both the Hacker1 program and the app are currently in invite-only mode. For now, our primary concern is keeping information private rather than policing user-submitted content, etc. Therefore, exploits that let allow privilege escalation or access to other user's content are higher priority.\n\nIf you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly readable (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: the ideas.legalrobot.aha.io domain.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe have made available a non-production environment (legalrobot-uat.com) that you may use for potentially destructive attacks and other invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers like AWS. When we are not actively doing testing, we usually shut off this server, so before initiating testing on this environment, we ask that you *send us a quick email* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time because we have to go clean up the database, and it's a waste of your time because we _obviously_ sanitize form input.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Issues related to software or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Attacks requiring physical access to a user's device\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Vulnerabilities affecting users of outdated browsers or platforms\n* Social engineering of our staff or contractors\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing security headers which do not lead directly to a vulnerability\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies\n* Missing http security headers (unless you deliver a proof of concept that leverages their absence)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n* Any report that discusses how you can learn whether a given email address has an account.\n* An oracle that discloses whether a given username, email address, or phone number is associated with an actual account. (However, please do submit anything that allows you to recover usernames en masse.)\n* Reports of spam (i.e., any report involving ability to send emails without rate limits)\n* Self-XSS (we require evidence on how the XSS can be used to attack another user)\n* XSS on any site other than legalrobot.com.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-28T06:24:04.094Z"},{"id":3513184,"new_policy":"##The product is currently in beta and there is some functionality that is incomplete. \nActive development is underway so things are changing, a lot. Both the Hacker1 program and the app are currently in invite-only mode. For now, our primary concern is keeping information private rather than policing user-submitted content, etc. Therefore, exploits that let allow privilege escalation or access to other user's content are higher priority.\n\nIf you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly readable (like legalrobot.s3.amazonaws.com).\n\n**Not in scope: our ideas portal at ideas.legalrobot.aha.io.** Also, any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe have made available a non-production environment (legalrobot-uat.com) that you may use for potentially destructive attacks and other invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers like AWS. When we are not actively doing testing, we usually shut off this server, so before initiating testing on this environment, we ask that you *send us a quick email* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time because we have to go clean up the database, and it's a waste of your time because we _obviously_ sanitize form input.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Issues related to software or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Attacks requiring physical access to a user's device\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Vulnerabilities affecting users of outdated browsers or platforms\n* Social engineering of our staff or contractors\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing security headers which do not lead directly to a vulnerability\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies\n* Missing http security headers (unless you deliver a proof of concept that leverages their absence)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n* Any report that discusses how you can learn whether a given email address has an account.\n* An oracle that discloses whether a given username, email address, or phone number is associated with an actual account. (However, please do submit anything that allows you to recover usernames en masse.)\n* Reports of spam (i.e., any report involving ability to send emails without rate limits)\n* Self-XSS (we require evidence on how the XSS can be used to attack another user)\n* XSS on any site other than legalrobot.com.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-28T06:22:40.912Z"},{"id":3500333,"new_policy":"##The product is currently in beta and there is some functionality that is incomplete. \nActive development is underway so things are changing, a lot. Both the Hacker1 program and the app are currently in invite-only mode. For now, our primary concern is keeping information private rather than policing user-submitted content, etc. Therefore, exploits that let allow privilege escalation or access to other user's content are higher priority.\n\nIf you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Not in scope: our ideas portal at ideas.legalrobot.aha.io. Any mail server issues are out of scope on the legalrobot-uat.com domain. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly readable (like legalrobot.s3.amazonaws.com).\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe have made available a non-production environment (legalrobot-uat.com) that you may use for potentially destructive attacks and other invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers like AWS. When we are not actively doing testing, we usually shut off this server, so before initiating testing on this environment, we ask that you *send us a quick email* at hello@legalrobot.com with the expected duration of your testing. Also, because this is not a full production environment, DMARC, SPF, and similar email issues will not be eligible.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time because we have to go clean up the database, and it's a waste of your time because we _obviously_ sanitize form input.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Issues related to software or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Attacks requiring physical access to a user's device\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Vulnerabilities affecting users of outdated browsers or platforms\n* Social engineering of our staff or contractors\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing security headers which do not lead directly to a vulnerability\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies\n* Missing http security headers (unless you deliver a proof of concept that leverages their absence)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n* Any report that discusses how you can learn whether a given email address has an account.\n* An oracle that discloses whether a given username, email address, or phone number is associated with an actual account. (However, please do submit anything that allows you to recover usernames en masse.)\n* Reports of spam (i.e., any report involving ability to send emails without rate limits)\n* Self-XSS (we require evidence on how the XSS can be used to attack another user)\n* XSS on any site other than legalrobot.com.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-26T07:26:23.984Z"},{"id":3500332,"new_policy":"##The product is currently in beta and there is some functionality that is incomplete. \nActive development is underway so things are changing, a lot. Both the Hacker1 program and the app are currently in invite-only mode. For now, our primary concern is keeping information private rather than policing user-submitted content, etc. Therefore, exploits that let allow privilege escalation or access to other user's content are higher priority.\n\nIf you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Not in scope: our ideas portal at ideas.legalrobot.aha.io. Any mail server issues are out of scope on the legalrobot-uat.com domain. Also in scope: any S3 bucket we own (they all have legalrobot in the name). Some S3 buckets simply hold logos, videos, and other assets which are intentionally publicly readable (like legalrobot.s3.amazonaws.com).\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe have made available a non-production environment (legalrobot-uat.com) that you may use for potentially destructive attacks and other invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers like AWS. Before initiating testing on this environment, we ask that you send us a quick email at hello@legalrobot.com with the expected duration of your testing - we also use this environment for our testing and sometimes it is unavailable. Since this is not a full production environment, DMARC, SPF, and similar issues will not be eligible.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Annoying Tests\nSubmitting form data like \"\u003e\u003cimg src=M onerror=prompt(1);\u003e\" just annoys us. It's a waste of our time because we have to go clean up the database, and it's a waste of your time because we _obviously_ sanitize form input.\n\n##Ineligible Reports\n* Reports from automated tools or scans\n* Issues related to software or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Attacks requiring physical access to a user's device\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Vulnerabilities affecting users of outdated browsers or platforms\n* Social engineering of our staff or contractors\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing security headers which do not lead directly to a vulnerability\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies\n* Missing http security headers (unless you deliver a proof of concept that leverages their absence)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n* Any report that discusses how you can learn whether a given email address has an account.\n* An oracle that discloses whether a given username, email address, or phone number is associated with an actual account. (However, please do submit anything that allows you to recover usernames en masse.)\n* Reports of spam (i.e., any report involving ability to send emails without rate limits)\n* Self-XSS (we require evidence on how the XSS can be used to attack another user)\n* XSS on any site other than legalrobot.com.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-26T07:24:22.461Z"},{"id":3499055,"new_policy":"##The product is currently in beta and there is some functionality that is incomplete. \nActive development is underway so things are changing, a lot. Both the Hacker1 program and the app are currently in invite-only mode. For now, our primary concern is keeping information private rather than policing user-submitted content, etc. Therefore, exploits that let allow privilege escalation or access to other user's content are higher priority.\n\nIf you believe you have found a security vulnerability in Legal Robot, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. However, the product is currently in beta, so we do expect a large volume of changes in our code and may already be aware of the issue. If you submit a report for a known issue, we will do our best to let you know quickly so you can move on.\n\n##Rules\nUse good judgement (except as outlined below in \"Destructive Attacks\"):\n* Do not destroy or degrade the performance of our products and services, or violate the privacy and integrity of user accounts and data. \n* To be clear, you must never attempt to view, modify, or damage data belonging to others in production (feel free to do this in our non-production environment).\n* Do not interact with other users without their prior consent. \n* Do not attempt a denial-of-service attack.\n* Do not perform any research or testing in violation of law.\n* You must be the first person to report the issue to us. If a duplicate reproduction is submitted while the vulnerability is still in the wild, we will only award a bounty if the duplicate submissions provide more information or show the issue to be more extensive.\n\nAs long as your research stays within the bounds of these criteria, we welcome the dialogue and promise not to take legal action.\n\n##Attributes of a Good Report\n* Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.\n* Describe the versions of all relevant components of the attack (e.g. browser, OS, etc).\n* Describe a concrete attack scenario. How will the problem impact our services or customers? Put the problem into context.\n\n##Scope\nWe welcome you to report problems on legalrobot.com (production) and legalrobot-uat.com (non-production) or our Android and iOS app. Not in scope: our ideas portal at ideas.legalrobot.com or ideas.legalrobot.aha.io. Any mail server issues are out of scope on the legalrobot-uat.com domain.\n\nWe are particularly interested in problems that allow unauthorized access to other user's documents and will award monetary bounties accordingly. However, YOU MUST ONLY ATTEMPT THIS IN OUR NON-PRODUCTION ENVIRONMENT (legalrobot-uat.com).\n\n##Destructive/Invasive Attacks\nWe have made available a non-production environment (legalrobot-uat.com) that you may use for potentially destructive attacks and other invasive attacks. All of the data in this environment is non-sensitive, so have at it... just DO NOT do anything illegal, or launch a denial-of-service or other attack that could disrupt or get us blacklisted with our service providers like AWS. Before initiating testing on this environment, we ask that you send us a quick email at hello@legalrobot.com with the expected duration of your testing - we also use this environment for our testing and sometimes it is unavailable. Since this is not a full production environment, DMARC, SPF, and similar issues will not be eligible.\n\n##Automated Testing\nWe do our own automated testing for security issues and are likely aware of anything that is found through those methods. We ask you to refrain from adding your own automated testing load to our servers and submitting reports for issues from automatic scanners. We likely know about those issues anyway so they will not be eligible.\n\n##Ineligible reports\n* Reports from automated tools or scans\n* Issues related to software or protocols not under our control (e.g. meteor.js, node.js, cordova, etc)... unless we are using a version that is seriously out of date\n* Use of a known-vulnerable library (without evidence of exploitability)\n* Attacks requiring physical access to a user's device\n* Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Vulnerabilities affecting users of outdated browsers or platforms\n* Social engineering of our staff or contractors\n* Any physical attempts against our property or our host's data centers\n* Presence of autocomplete attribute on web forms\n* Missing security headers which do not lead directly to a vulnerability\n* Missing best practices (we require evidence of a security vulnerability)\n* Missing cookie flags on non-sensitive cookies\n* Missing http security headers (unless you deliver a proof of concept that leverages their absence)\n* Host header injections unless you can show how they can lead to stealing user data.\n* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n* Any report that discusses how you can learn whether a given email address has an account.\n* An oracle that discloses whether a given username, email address, or phone number is associated with an actual account. (However, please do submit anything that allows you to recover usernames en masse.)\n* Reports of spam (i.e., any report involving ability to send emails without rate limits)\n* Self-XSS (we require evidence on how the XSS can be used to attack another user)\n* XSS on any site other than legalrobot.com.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity\n* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)\nLogin/logout CSRF\n\n##Thanks \u0026 Compensation\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/legalrobot/thanks). In addition to showing our appreciation for our security researchers, we also offer a monetary bounty for certain security bugs, provided you follow the rules. More serious issues will be rewarded appropriately. Many researchers find similar or identical issues at the same time so unfortunately, duplicate issues will only receive our appreciation.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-26T01:35:27.654Z"}]