[{"id":3602991,"new_policy":"No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Test Accounts\nYou must only test against accounts that you have created. You may register for accounts as long as you include the suffix **+hackerone** before the @ in your email address. For example **test+hackerone@example.com**.\n\nYou may be banned for registering accounts without this string in your email address.\n\n# Test Cards\nWe have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.\n\n* 4024007175579357 \n* 4916375378230974 \n* 4839456722548214 \n* 4556908228877498 \n* 4916736231570825\n\nUse the address **921 Front St \\#100, San Francisco, CA 94111** for all of them.\n\n# Rate Limits and Bans\nWe enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.\n\nIf you are banned due to excessive activity please halt requests and wait a short amount of time and the ban will be released automatically.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Examples of vulnerabilities Lyst are particularly interested in hearing about\nAuthentication flaws\nCross-site scripting (XSS)\nSQL Injection\nCross-site request forgery (CSRF/XSRF)\nMixed content scripts (scripts loaded over HTTP on an HTTPS page, blockable errors only)\nServer side code execution\nPrivilege Escalation\nAuthorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User) \nClickjacking on authenticated pages with sensitive state changes\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Submitting reports on `help.lyst.com` - we do not host this and issues here should be reported directly to @Zendesk instead.\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Lyst staff or contractors\n* Any physical attempts against Lyst property or data centers\n* Username enumeration\n* Exposure of social features such as users saved items\n* Missing \"best practices\" without a clear demonstration of impact in our use case\n* CSRF on login/logout/other non-authenticated content\n* Missing headers\n* Secure and HTTPonly flags on cookies\n* crossdomain.xml misconfiguration without an exploit scenario\n\nThank you for helping keep Lyst and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-18T11:58:06.210Z"},{"id":3553909,"new_policy":"No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Bounties\n\nWe award bounties based on 4 severity levels. Examples below are only suggestions as to the kind of bugs we'd expect to see in each category. Depending on the impact you can demonstrate from a particular bug we may pay higher than suggested.\n\n## P1: Critical – $5000+\n\n* Remote code execution\n* Privilege escalation\n\n## P2: High – $1000+\n\n* Stored XSS without user interaction\n* CSRF\n* SQL injection\n* Account takeover with user interaction\n\n## P3: Medium – $300+\n\n* XSS with user interaction\n* Edge case performance issues which could be used for DoS\n\n## P4: Low – $100+\n\n* Mixed content warnings\n* Debugging information\n\n# Test Accounts\nYou must only test against accounts that you have created. You may register for accounts as long as you include the suffix **+hackerone** before the @ in your email address. For example **test+hackerone@example.com**.\n\nYou may be banned for registering accounts without this string in your email address.\n\n# Test Cards\nWe have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.\n\n* 4024007175579357 \n* 4916375378230974 \n* 4839456722548214 \n* 4556908228877498 \n* 4916736231570825\n\nUse the address **921 Front St \\#100, San Francisco, CA 94111** for all of them.\n\n# Rate Limits and Bans\nWe enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.\n\nIf you are banned due to excessive activity please halt requests and wait a short amount of time and the ban will be released automatically.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Examples of vulnerabilities Lyst are particularly interested in hearing about\nAuthentication flaws\nCross-site scripting (XSS)\nSQL Injection\nCross-site request forgery (CSRF/XSRF)\nMixed content scripts (scripts loaded over HTTP on an HTTPS page, blockable errors only)\nServer side code execution\nPrivilege Escalation\nAuthorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User) \nClickjacking on authenticated pages with sensitive state changes\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Submitting reports on `help.lyst.com` - we do not host this and issues here should be reported directly to @Zendesk instead.\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Lyst staff or contractors\n* Any physical attempts against Lyst property or data centers\n* Username enumeration\n* Exposure of social features such as users saved items\n* Missing \"best practices\" without a clear demonstration of impact in our use case\n* CSRF on login/logout/other non-authenticated content\n* Missing headers\n* Secure and HTTPonly flags on cookies\n* crossdomain.xml misconfiguration without an exploit scenario\n\nThank you for helping keep Lyst and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-05-19T10:21:30.445Z"},{"id":3547375,"new_policy":"No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Bounties\n\nWe award bounties based on 4 severity levels. Examples below are only suggestions as to the kind of bugs we'd expect to see in each category. Depending on the impact you can demonstrate from a particular bug we may pay higher than suggested.\n\n## P1: Critical – $5000+\n\n* Remote code execution\n* Privilege escalation\n\n## P2: High – $1000+\n\n* Stored XSS without user interaction\n* CSRF\n* SQL injection\n* Account takeover with user interaction\n\n## P3: Medium – $300+\n\n* XSS with user interaction\n* Edge case performance issues which could be used for DoS\n\n## P4: Low – $100+\n\n* Mixed content warnings\n* Debugging information\n\n# Test Accounts\nYou must only test against accounts that you have created. You may register for accounts as long as you include the suffix **+hackerone** before the @ in your email address. For example **test+hackerone@example.com**.\n\nYou may be banned for registering accounts without this string in your email address.\n\n# Test Cards\nWe have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.\n\n* 4024007175579357 \n* 4916375378230974 \n* 4839456722548214 \n* 4556908228877498 \n* 4916736231570825\n\nUse the address **921 Front St \\#100, San Francisco, CA 94111** for all of them.\n\n# Rate Limits and Bans\nWe enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.\n\nIf you are banned due to excessive activity please halt requests and wait a short amount of time and the ban will be released automatically.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Examples of vulnerabilities Lyst are particularly interested in hearing about\nAuthentication flaws\nCross-site scripting (XSS)\nSQL Injection\nCross-site request forgery (CSRF/XSRF)\nMixed content scripts (scripts loaded over HTTP on an HTTPS page, blockable errors only)\nServer side code execution\nPrivilege Escalation\nAuthorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User) \nClickjacking on authenticated pages with sensitive state changes\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Lyst staff or contractors\n* Any physical attempts against Lyst property or data centers\n* Username enumeration\n* Exposure of social features such as users saved items\n* Missing \"best practices\" without a clear demonstration of impact in our use case\n* CSRF on login/logout/other non-authenticated content\n* Missing headers\n* Secure and HTTPonly flags on cookies\n* crossdomain.xml misconfiguration without an exploit scenario\n\nThank you for helping keep Lyst and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-22T09:35:02.472Z"},{"id":3547341,"new_policy":"No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Bounties\n\nWe award bounties based on 4 severity levels. Examples below are only suggestions as to the kind of bugs we'd expect to see in each category. Depending on the impact you can demonstrate from a particular bug we may pay higher than suggested.\n\n## P1: Critical – $5000+\n\n* Remote code execution\n* Privilege escalation\n\n## P2: High – $1000+\n\n* Stored XSS without user interaction\n* CSRF\n* SQL injection\n* Account takeover with user interaction\n\n## P3: Medium – $300+\n\n* XSS with user interaction\n* Edge case performance issues which could be used for DoS\n\n## P4: Low – $100+\n\n* Mixed content warnings\n* Debugging information\n\n# Test Accounts\nYou must only test against accounts that you have created. You may register for accounts as long as you include the suffix **+hackerone** before the @ in your email address. For example **test+hackerone@example.com**.\n\nYou may be banned for registering accounts without this string in your email address.\n\n# Test Cards\nWe have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.\n\n* 4024007175579357 \n* 4916375378230974 \n* 4839456722548214 \n* 4556908228877498 \n* 4916736231570825\n\nUse the address **921 Front St \\#100, San Francisco, CA 94111** for all of them.\n\n# Rate Limits and Bans\nWe enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.\n\nIf you are banned due to excessive activity please halt requests and wait a short amount of time and the ban will be released automatically.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Examples of vulnerabilities Lyst are particularly interested in hearing about\nAuthentication flaws\nCross-site scripting (XSS)\nSQL Injection\nCross-site request forgery (CSRF/XSRF)\nMixed content scripts (scripts loaded over HTTP on an HTTPS page)\nServer side code execution\nPrivilege Escalation\nAuthorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User) \nClickjacking on authenticated pages with sensitive state changes\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Lyst staff or contractors\n* Any physical attempts against Lyst property or data centers\n* Username enumeration\n* Exposure of social features such as users saved items\n* Missing \"best practices\" without a clear demonstration of impact in our use case\n* CSRF on login/logout/other non-authenticated content\n* Missing headers\n* Secure and HTTPonly flags on cookies\n* crossdomain.xml misconfiguration without an exploit scenario\n\nThank you for helping keep Lyst and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-21T20:17:39.585Z"},{"id":3547083,"new_policy":"No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Bounties\n\nWe award bounties based on 4 severity levels. Examples below are only suggestions as to the kind of bugs we'd expect to see in each category. Depending on the impact you can demonstrate from a particular bug we may pay higher than suggested.\n\n## P1: Critical – $5000+\n\n* Remote code execution\n* Privilege escalation\n\n## P2: High – $1000+\n\n* Stored XSS without user interaction\n* CSRF\n* SQL injection\n* Account takeover with user interaction\n\n## P3: Medium – $300+\n\n* XSS with user interaction\n* Edge case performance issues which could be used for DoS\n\n## P4: Low – $100+\n\n* Mixed content warnings\n* Debugging information\n\n# Test Accounts\nYou must only test against accounts that you have created. You may register for accounts as long as you include the suffix **+hackerone** before the @ in your email address. For example **test+hackerone@example.com**.\n\nYou may be banned for registering accounts without this string in your email address.\n\n# Test Cards\nWe have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.\n\n* 4024007175579357 \n* 4916375378230974 \n* 4839456722548214 \n* 4556908228877498 \n* 4916736231570825\n\nUse the address **921 Front St \\#100, San Francisco, CA 94111** for all of them.\n\n# Rate Limits and Bans\nWe enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.\n\nIf you are banned due to excessive activity please halt requests and wait a short amount of time and the ban will be released automatically.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Examples of vulnerabilities Lyst are particularly interested in hearing about\nAuthentication flaws\nCross-site scripting (XSS)\nSQL Injection\nCross-site request forgery (CSRF/XSRF)\nMixed content scripts (scripts loaded over HTTP on an HTTPS page)\nServer side code execution\nPrivilege Escalation\nAuthorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User) \nClickjacking on authenticated pages with sensitive state changes\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Lyst staff or contractors\n* Any physical attempts against Lyst property or data centers\n* Username enumeration\n* Exposure of social features such as users saved items\n* Missing \"best practices\" without a clear demonstration of impact in our use case\n\nThank you for helping keep Lyst and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-16T13:56:52.154Z"},{"id":3546933,"new_policy":"No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Bounties\n\nWe award bounties based on 4 severity levels. Examples below are only suggestions as to the kind of bugs we'd expect to see in each category. Depending on the impact you can demonstrate from a particular bug we may pay higher than suggested.\n\n## P1: Critical – $5000+\n\n* Remote code execution\n* Privilege escalation\n\n## P2: High – $1000+\n\n* Stored XSS without user interaction\n* CSRF\n* SQL injection\n* Account takeover with user interaction\n\n## P3: Medium – $300+\n\n* XSS with user interaction\n* Edge case performance issues which could be used for DoS\n\n## P4: Low – $100+\n\n* Mixed content warnings\n* Debugging information\n\n# Test Accounts\nYou must only test against accounts that you have created. You may register for accounts as long as you include the suffix **+hackerone** before the @ in your email address. For example **test+hackerone@example.com**.\n\nYou may be banned for registering accounts without this string in your email address.\n\n# Test Cards\nWe have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.\n\n* 4024007175579357 \n* 4916375378230974 \n* 4839456722548214 \n* 4556908228877498 \n* 4916736231570825\n\nUse the address **921 Front St \\#100, San Francisco, CA 94111** for all of them.\n\n# Rate Limits and Bans\nWe enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.\n\nIf you are banned due to excessive activity please halt requests and wait a short amount of time and the ban will be released automatically.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Examples of vulnerabilities Lyst are particularly interested in hearing about\nAuthentication flaws\nCross-site scripting (XSS)\nSQL Injection\nCross-site request forgery (CSRF/XSRF)\nMixed content scripts (scripts loaded over HTTP on an HTTPS page)\nServer side code execution\nPrivilege Escalation\nAuthorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User) \nClickjacking on authenticated pages with sensitive state changes\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Lyst staff or contractors\n* Any physical attempts against Lyst property or data centers\n* User enumeration\n* Missing \"best practices\" without a clear demonstration of impact in our use case\n\nThank you for helping keep Lyst and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-14T10:19:18.427Z"},{"id":3546860,"new_policy":"No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Bounties\n\nWe award bounties based on 4 severity levels. Examples below are only suggestions as to the kind of bugs we'd expect to see in each category. Depending on the impact you can demonstrate from a particular bug we may pay higher than suggested.\n\n## P1: Critical – $5000+\n\n* Remote code execution\n* Privilege escalation\n\n## P2: High – $1000+\n\n* Stored XSS without user interaction\n* CSRF\n* SQL injection\n* Account takeover with user interaction\n\n## P3: Medium – $300+\n\n* XSS with user interaction\n* Edge case performance issues which could be used for DoS\n\n## P4: Low – $100+\n\n* Mixed content warnings\n* Debugging information\n\n# Test Accounts\nYou must only test against accounts that you have created. You may register for accounts as long as you include the suffix **+hackerone** before the @ in your email address. For example **test+hackerone@example.com**.\n\nYou may be banned for registering accounts without this string in your email address.\n\n# Test Cards\nWe have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.\n\n* 4024007175579357 \n* 4916375378230974 \n* 4839456722548214 \n* 4556908228877498 \n* 4916736231570825\n\nUse the address **921 Front St \\#100, San Francisco, CA 94111** for all of them.\n\n# Rate Limits and Bans\nWe enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.\n\nIf for some reason your IP address or account are banned during your research activity please contact us at security+hackerone@lyst.com and we'll restore your access ASAP. It can be helpful in resolving your ban if you include some kind of identifying request parameter when making bulk requests.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Examples of vulnerabilities Lyst are particularly interested in hearing about\nAuthentication flaws\nCross-site scripting (XSS)\nSQL Injection\nCross-site request forgery (CSRF/XSRF)\nMixed content scripts (scripts loaded over HTTP on an HTTPS page)\nServer side code execution\nPrivilege Escalation\nAuthorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User) \nClickjacking on authenticated pages with sensitive state changes\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Lyst staff or contractors\n* Any physical attempts against Lyst property or data centers\n* User enumeration\n* Missing \"best practices\" without a clear demonstration of impact in our use case\n\nThank you for helping keep Lyst and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-13T10:59:28.680Z"},{"id":3546849,"new_policy":"No technology is perfect, and Lyst believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Bounties\n\nWe award bounties based on 4 severity levels. Examples below are only suggestions as to the kind of bugs we'd expect to see in each category. Depending on the impact you can demonstrate from a particular bug we may pay higher than suggested.\n\n## P1: Critical – $5000+\n\n* Remote code execution\n* Privilege escalation\n\n## P2: High – $1000+\n\n* Stored XSS without user interaction\n* CSRF\n* SQL injection\n* Account takeover with user interaction\n\n## P3: Medium – $300+\n\n* XSS with user interaction\n* Edge case performance issues which could be used for DoS\n\n## P4: Low – $100+\n\n* Mixed content warnings\n* Debugging information\n\n# Test Accounts\nYou must only test against accounts that you have created. You may register for accounts as long as you include the suffix **+hackerone** before the @ in your email address. For example **test+hackerone@example.com**.\n\nYou may be banned for registering accounts without this string in your email address.\n\n# Test Cards\nWe have 5 test cards to use. Note these are not real credit card numbers. All orders will not be processed.\n\n* 4024007175579357 \n* 4916375378230974 \n* 4839456722548214 \n* 4556908228877498 \n* 4916736231570825\n\nUse the address **921 Front St \\#100, San Francisco, CA 94111** for all of them.\n\n# Rate Limits and Bans\nWe enforce rate limiting on most of our website. This may result in your address being banned if you make more than around 160 requests per minute from a single IP address. Do not try and evade this limit.\n\nIf for some reason your IP address or account are banned during your research activity please contact us at security+hackerone@lyst.com and we'll restore your access ASAP. It can be helpful in resolving your ban if you include some kind of identifying request parameter when making bulk requests.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Examples of vulnerabilities Lyst are particularly interested in hearing about\nAuthentication flaws\nCross-site scripting (XSS)\nSQL Injection\nCross-site request forgery (CSRF/XSRF)\nMixed content scripts (scripts loaded over HTTP on an HTTPS page)\nServer side code execution\nPrivilege Escalation\nAuthorization flaws/Access Control Bypasses (e.g. being able to perform security-sensitive actions as a Restricted User) \nClickjacking on authenticated pages with sensitive state changes\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Lyst staff or contractors\n* Any physical attempts against Lyst property or data centers\n* User enumeration\n\nThank you for helping keep Lyst and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-13T10:02:38.528Z"}]