Responsible Disclosure
Find a security issue in LyDos. We acknowledge within 24 hours, triage within 72, fix CRITICAL/HIGH within 30 days. Bounties paid in USD. Public credit on request. Detailed program at /.well-known/security.txt.
Bounty tiers
CRITICAL$5,000 – $25,000
Remote code execution · RLS bypass · KSL signature bypass · full tenant-data leak
HIGH$1,000 – $5,000
Auth bypass · SSRF · account takeover · audit-chain tampering
MEDIUM$250 – $1,000
Reflected XSS · scoped IDOR · CSRF on critical action
LOWPublic credit only
Best-practice deviations · info disclosure with no impact
In scope
- ·
https://lydos.ailydian.com - ·
https://*.lydos.ailydian.comregional subdomains - · Public API under
/api/*(excluding /api/admin/*) - · LyDos CLI (distribution channel)
Out of scope
- · Denial of service / volumetric attacks
- · Social engineering of LyDos staff
- · Physical security of premises
- · Third-party SaaS (Stripe, Google OAuth)
- · Vulnerabilities requiring root/physical device access
Submit a report
POSTs straight to /api/security/disclosure. You get back a hash- anchored receipt + KSL acknowledgement so you can prove your report was received at a given time. Prefer programmatic submission? See security.txt.