Skip to content
Request a Demo

Security - LINDERA Bug Bounty Program

Information about Personal Data Collection and Provider Identification on this Website

Last updated: October 30, 2024

LINDERA Vulnerability Program Guidelines

If you have discovered a security or privacy vulnerability in LINDERA software or services, please report it directly to us. We review all qualified submissions for possible security rewards.

What is in scope?

  • *.lindera.de (excluding www.lindera.de, *.admin.lindera.de)
  • LINDERA Mobility Analysis App (L.Care)

What is not allowed?

  • Accessing user data - test only with your own user account or only with LINDERA employee accounts (@lindera.de) if your own user account doesn't exist.
  • Disrupting production systems for other users
  • Attacks on customer systems
  • Attacks on our integration partners' systems
  • Attacks on applications using the LINDERA SDK, L.Gait, L.Ortho

Excluded vulnerabilities:

  • Vulnerabilities on static websites without sensitive data or actions
  • Clickjacking on pages without sensitive actions
  • Unauthenticated/Logout/Login CSRF
  • Attacks requiring MITM or physical access to a user's device
  • Attacks requiring social engineering
  • Activities that could disrupt our service (DoS)
  • Content spoofing and text injection issues without specifying an attack vector/without ability to modify HTML/CSS
  • Email spoofing
  • Missing DNSSEC, CAA, CSP, HSTS headers
  • Missing Secure or HTTP-only flags on non-sensitive cookies
  • Dead links and broken links
  • Use of known vulnerable software less than 30 days after vulnerability disclosure and without proof of exploitability

How are rewards determined?

  • Rewards are determined at our discretion. The reward is decided based on the scope of the vulnerability as well as the completeness and quality of the report.

When is my report eligible for a reward?

  • You must be the first to report the issue directly to us via email.
  • Your report must be clear and detailed and show a way to reproduce the issue.
  • You must sign an NDA committing not to publicly disclose the issue and to delete all information collected during research.

What makes a complete report?

  • A detailed description of the issue(s) and observed behavior as well as expected behavior.
  • A numbered list of steps required to reproduce the issue.
  • A reliable exploit for the reported issue.
  • Details about related issues or variants.

What makes a good report?

  • A good report is reproducible so we can accept it under the Vulnerability Bounty Program and evaluate it appropriately.

How do I report a vulnerability?

What we promise:

  • We will respond to your report within 7 business days with our assessment and expected resolution timeline.
  • If you have followed the instructions above, we will not take legal action against you regarding the report.
  • We will treat your report in strict confidence and will not share your personal information with third parties without your permission.
  • We will keep you updated on progress toward resolving the issue.

US market note: This bug bounty program demonstrates strong cybersecurity practices, which is particularly important for healthcare technology companies in the US market. The clear guidelines and responsible disclosure process align with industry best practices for security vulnerability management.