White Hat Bug Bounty Program

Earn money and recognition for your responsible disclosures

LaunchKey fully supports and values the security research community. As such, we encourage security researchers to responsibly disclose security vulnerabilities after reviewing our responsible disclosure policy and bug bounty guidelines found on this page.

Responsible disclosure policy

Responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users and developers. Responsible disclosure includes:

  • Provide us with a reasonable amount of time to fix the security vulnerability before publishing your find
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research and testing
  • Only target accounts you have created for the purpose of your security research, and never attempt to access or disrupt another user's service

We will not bring legal action against any researcher who discloses security vulnerabilities using the responsible disclosure guidelines above.

Bug bounty

To show our appreciation and respect to the security researchers whom volunteer their time to improving our service, we offer a monetary bounty for certain security bugs.

Eligibility

In addition to adhering to our Responsible Disclosure Policy above, to qualify for a bounty reward you must be the first individual to responsibly disclose the bug, and report a security vulnerability that could compromise the integrity of LaunchKey services or user data, circumvent privacy protections, or enable access to systems within LaunchKey. Our bug bounty also covers SDKs, libraries and plugins developed and supported by LaunchKey, but excludes third party developed libraries, plugins, etc.

Qualifying Bugs:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Authentication Flaws (e.g. LaunchKey OAuth bugs)
  • Remote Code Execution
  • Privilege Escalation
  • Code Injection

Non-qualifying Bugs

Typically, the following types of bugs are not eligible for a bounty:

  • Security vulnerabilities on sites hosted by third parties (e.g. launchkey.desk.com) unless they lead to a vulnerability on a LaunchKey-hosted site
  • Security vulnerabilities in third party applications which use the LaunchKey API
  • Security vulnerabilities in third party plugins, libraries or tools that use the LaunchKey API
  • Denial of service (DoS)
  • Spamming
  • Social Engineering
  • Bugs affecting outdated or unpatched browsers

Reward

  • The minimum bounty for a qualifying security vulnerability is $200 USD
  • There is no maximum bounty; the value of the bounty is based on a combination of the severity of the bug and creativity of the exploit
  • Receive payment by: check (if U.S. citizen); PayPal; or Bitcoin (BTC) transfer
  • Only 1 bounty per bug will be awarded
  • Security researchers who don't want to collect a bounty may have their reward donated to an approved charity upon request
  • You must reside in a country not under any current U.S. Sanctions to qualify for a reward.

How to report a bug

If you believe you've discovered a security vulnerability in LaunchKey, you may responsibly disclose your find by sending an email to security@launchkey.com using our optional PGP key below. Please include the following details with your disclosure:

  • Description of vulnerability and potential impact
  • Detailed description of steps taken to reproduce the bug or proof of concept
  • Name and/or link for (optional) attribution on this page

PGP Key

If you'd like to encrypt your communications with LaunchKey, please use our PGP key below. All security-related emails from LaunchKey will be signed with this key.

  • Key ID: 1515DF88
  • Key Type: RSA
  • Key Size: 2048
  • Fingerprint: 4A82 44D7 A524 8C63 BEAF C7DB 8391 6F05 1515 DF88
  • User ID: security@launchkey.com
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFG3cKEBCACzn7UsqMpOZF+QZ+W36iwRSseVJNsZM/FoldRH/aUHlgRyKIXJ
Q+KSU+Q6rzvRbD/fBPOIbSv/f8RvNqPCINUimo+Kl8l+mI0+9rjZDdpzoAApbGEO
0fEOxIQHF9pJx5hUf5slrO1fsKIx+JQhYAxR+VucujjHztlTD4yD+nEBD0G8GwFW
kzJGG2jRiKHZGlkDNay4ka6lWvrtcrg69CJXDqFM0yA3KtnlGl7GcyHDFqsxY9kD
lSvmEaHkVXClnGVphmucBqeptpCAgdHEpZ3uhfWqTVrDLtR+J403pOuU1S5WrLEx
qET5STUPKqx/Zj49ajRir4Nkg5tSAaZrncsjABEBAAG0K0xhdW5jaEtleSBTZWN1
cml0eSA8c2VjdXJpdHlAbGF1bmNoa2V5LmNvbT6JATgEEwECACIFAlG3cKECGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIORbwUVFd+IymYH/RJHgB6fa4TI
6efrKUPUFBwGrY4rwpfpCs4CZfDjHUDmm+aojTnE2KFqP/hI+veNKr+U6UyEEUTu
Oze4xasqOnqlGULkKmGeh/eSiUv6/Q69qG8EY/78LGD4rKiUYlHD42HZxYXaL0Jc
cYnyEeu9fzCNTTvZ12BKJ4Jcts7MDhI9Ywc4rHBiMHPkf6zmGSLLXOh81kRL0HNs
O0rc2nmvjTctmiv9V85TGwG0ZU8k4ltH1PljHATJlCo9eTI3azfUbHWlfyyKCk0b
SWbxAvl24liuTp//IaIIZNAvIpDvlaKIsGBe9mNB3XkNk2xPxY9JxrZdneOK1J9q
CS8kvGZDYs65AQ0EUbdwoQEIALh2FcHorBUF/IhqSzFEPe0fMp36GKOAnZHwELMt
7vK72MtDBwRleec9rB1T04PXsmOBLCOrYft6zOhN4OXpp8DMKsv2uyYG2kGS9opX
FsBQAGt6n+Q2yURhE2szC/UYdR5J1UOwzWTVU0sG4nAxqlCDSJSDejMeYuZcXQWP
FGoPTDL65EPDi56kAQ/ToQfB1tlMfMhp9XTQX+/JUgRWRalZ5V9ToMtPEDV0xBjV
I4zIdbsc8yc+qQ9KNWqAlDkd5dc0ezalDLPNh/7+Z0KhNuqsxVuLzVdvx458HIC0
EKw78gYeHeVqRMsRRpqY3iHxu2WI9oGtNAkgI7fD0EleuA8AEQEAAYkBHwQYAQIA
CQUCUbdwoQIbDAAKCRCDkW8FFRXfiOFHB/9ZNxbJ/QvOurHI9OfJ+gIO2MzY1EjO
/uLToWIlPed/DFpDcfiq1V3u2WzxeBmxN5JS+5CEhaJY0evWOjrmgNncD6KuHnfs
Mzy6NN6bd8NF0uUxH3667YYw2UMBxEoS9RZ4n+wtftRAyZfCUNQtDTIA67By49qX
tvfAWoGsdq80B8gWgwKfM9qiUdouw3Jn6d+x4N8jFd7M+2IvDXk9uoeKbVLX8h5S
HGxjTwcP6DLzQwVYknldt8MbiI40+rsnvmWMA8EZvcaqVu4PybmvuXXoeARxJIOT
i65uvYcJ8FRwdXjN8l2wBexQxi3Uvl4CM8y9icdFKAqYFWuPWAqThQyX
=Nzav
-----END PGP PUBLIC KEY BLOCK-----
Hall of Fame

On behalf of our users and developers, we would like to formally thank the following individuals for their responsible disclosures:

2014

2013

Are you ready to evolve your security beyond the password era?

Get started immediately by downloading the LaunchKey mobile app or by contacting a LaunchKey representative today.

Download Mobile App

Enterprise Sales

Contact Us