Langdock Vulnerability Disclosure Policy

Langdock is committed to building a secure platform for our users. We value the contributions of the security research community and encourage responsible disclosure of vulnerabilities. This policy outlines our process for vulnerability reporting, the scope of our bug bounty program, and the rules for participation.

Our Commitment

1. Scope

In Scope

We will investigate and address security vulnerabilities reported in the following product:

• Langdock Platform (app.langdock.com)

Out of Scope

The following are not covered by this policy:

• Marketing website (www.langdock.com)
• Mobile applications
• Third-party dependencies or systems owned by other entities (please report these directly to the vendor)
• Physical security, social engineering, phishing, spam, brute-force attacks
• Denial-of-Service (DoS), distributed DoS (DDoS), or resource exhaustion attacks
• Automated scanning or fuzzing that degrades service

Note: We welcome reports of potential DoS vulnerabilities, but do not permit active DoS testing or exploitation against our systems. Such reports are not eligible for monetary rewards.

2. Bug Bounty Rewards & Recognition

Monetary rewards are limited to high-impact vulnerabilities in the following categories:

• Remote Code Execution (RCE)
• Cross Site Scripting (XSS)
• Server-Side Request Forgery (SSRF)
• SQL Injection (SQLi)
• Insecure Direct Object References (IDOR)
• Authentication bypass
• Privilege escalation
• Severe information or PII disclosure

Other valid, in-scope reports may receive mentions or Langdock swag, at our discretion.

Low-quality, low-impact, or informational issues (e.g., missing security headers, weak TLS ciphers, version disclosures, or similar) are not eligible for monetary rewards.

Duplicate or known issues: Only the first valid report is eligible for acknowledgment or possible reward. Multiple reports of very similar vulnerabilities will not receive multiple payouts. If you reported a known issue, we will inform you right away.

Exceptional cases: We reserve the right to make exceptions for high-quality, unique reports that provide significant value, even if they fall outside the strict payout categories.

Negotiation: We do not negotiate bounty amounts. Attempts to extort or pressure for higher payouts will result in disqualification from the program and loss of safe harbor protections.

3. Rules for Testing & Reporting

• Do not attempt to access, modify, or delete data that does not belong to you.
• Do not perform actions that may disrupt service, degrade performance, or impact other users.
• Do not attempt social engineering, phishing, or physical attacks.
• Automated scanning or fuzzing that degrades service is prohibited.
• Proof of concept required: All reports must include clear, reproducible steps to demonstrate the vulnerability. Screenshots, videos, or sample code are strongly encouraged.
• Quality matters: Reports lacking sufficient detail, impact assessment, or reproducibility may be rejected or deprioritized.
• Multiple similar reports: Only the first valid report of a vulnerability will be eligible for reward or acknowledgment.

4. Safe Harbor & Confidentiality

We will keep all information you provide confidential.

Researchers acting in good faith, following this policy, and avoiding privacy violations, service disruption, or data destruction are protected from legal action by Langdock.

By submitting a report, you agree to abide by these terms. If you do not agree, you are not eligible for safe harbor protections.

Reporting Process

Report the Concern

Email security@langdock.com with your findings. Only security issues are accepted at this address.

Include Details

Provide a detailed summary, attack surface (e.g., URL and parameters), potential weakness, tools used, proof of concept, severity level (CVSS 3.1 or low/medium/high/critical), and any plans for public disclosure.

Preferably, send a plain-text email for each vulnerability.

Vulnerabilities in Open Source Projects

If the issue is in a third-party or open source component, report it to the affected project as well.

Use Common Sense

Avoid privacy violations, service disruption, and unauthorized data access.

Next Steps

We will acknowledge receipt of your report within 3 business days.

We will investigate and provide progress updates at least every 10 business days until resolution.

Upon validation and mitigation, we will alert affected customers and may issue a security advisory.

Policy Updates

Langdock may update this policy at any time. Significant changes will be communicated via our website.

Thank You

Thank you for helping us keep Langdock secure! Your responsible research and reporting are greatly appreciated.