Our bug bounty

by Alex Stapleton on Wednesday, 6 Apr 2016

# Like many websites, we have bugs. Some of them are harmless, but some of them definitely aren’t. Sometimes people have found bugs for us and let us know about them. We’ve always apreciated that a lot but it’s not always been easy to reward people (or even make proper contact with them) for doing so. So today we are launching our public bug bounty program on Bugcrowd.

This program covers our entire public website and our mobile applications. We’re particularly interested in things that would provide access to or control of our users data in some way we hadn’t intended but also anything that might disrupt a users experience on our site like XSS attacks. We want “lyst.com” to be a domain name people can trust.

We aren’t the typical organisation running a bug bounty. We are a relatively small company, our attack surface is a bit more constrained than a lot of other services out there. However we take our customers security seriously. Especially when it comes to their personal and payment information. So we already try hard to make sure we keep our users safe. We hold regular internal training events to keep up to date on the web security landscape. We are pushing for PCI Level 1 compliance to make sure we have good auditing and system separation. We continuously monitor our web traffic for suspicious behaviour. Still, we felt we could do better. There’s only so many of us.

So we are reaching out to security community via Bugcrowd to get access to that expertise. We want you to keep us honest and help us learn from our mistakes so we’ll be listening to the community to find ways to make testing our systems as easy as possible.

You can find more information over at Bugcrowd about the details of our program and how to get in touch with us.

2021 Update We use HackerOne for our bug bounties, check it out at https://hackerone.com/lyst