We don't support landscape mode yet. Please go back to portrait mode for better experience.
VULNERABILITY DISCLOSURE PROGRAM
We, at Livspace India Private Limited (“Livspace”, “us” or “we”) are committed to maintaining the highest standards of security across our platforms and services. As part of our security-first approach, we believe that building collaborative relationships with the security research community (“you”, and “your”) is essential. We value the contributions of security researchers and encourage responsible disclosure of potential vulnerabilities.
The Livspace Vulnerability Disclosure Program governs your participation by ensuring responsible reporting of security vulnerabilities to Livspace ("Program"). Your agreement to comply with and be bound by the terms of this Program is deemed to occur upon your use and/or access to https://www.livspace.com/responsible-disclosure-program, and https://www.livspace.com/.well-known/security.txt (hereinafter referred to as the “Terms”). By submitting any potential vulnerabilities to Livspace or otherwise participating in the Program in any way, you acknowledge that you have read, understood, and agree to be bound by these Terms.
The Program allows security researchers to submit information about potential security vulnerabilities or exploitation techniques (“Vulnerabilities”) found in eligible Livspace platforms including but not limited to website and mobile applications belonging to Livspace and its affiliates (“Submissions”).
2.1 Who Can Participate
2.1.1 You are eligible to participate in the Program only if you meet all of the following conditions:
a. You are either:
-- An individual security researcher participating in your personal capacity; or
-- An employee of an organization that permits participation in such programs. You are solely responsible for reviewing and complying with your employer’s policies and guidelines regarding participation.
2.2 Who Cannot Participate
2.2.1 You are not eligible to participate in the Program if any of the following apply:
-- You reside in a country or region that is subject to trade restrictions, embargoes, or sanctions under the laws of India.
-- Your employer prohibits participation in the Program or external vulnerability disclosure programs.
-- You are currently an employee of Livspace or any of its affiliates, or an immediate family member or household member (parent, sibling, spouse, or child) of such an employee.
-- You were employed by Livspace or any of its subsidiaries within six (6) months prior to your submission.
-- You currently perform, or have performed within the last six (6) months, services for Livspace or its subsidiaries in an external capacity (including as a contractor, vendor, agency temporary worker, or consultant) that required access to Livspace’s corporate systems or networks including but not limited to Platform.
2.3 Compliance Responsibility
It is your sole responsibility to ensure that your participation in this Program does not violate any applicable laws, regulations, or employment-related policies. If you participate in violation of such policies or laws, Livspace reserves the right to disqualify you from the Program. All payments will be made in accordance with applicable local laws, including tax and ethics regulations.
Livspace disclaims all liability or responsibility for any employment-related disputes arising from your participation in the Program.
3.1 The following issues are excluded from the scope of the Program and will not be considered valid vulnerabilities. Submissions reporting any of the following issues will not be covered under this Program:
-- Vulnerabilities in third-party applications not owned or operated by Livspace;
-- Any activity that may result in disruption of Livspace’s services;
-- Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks (strictly prohibited)
-- UI redressing or clickjacking on non-sensitive endpoints;
-- Issues affecting outdated versions of modern browsers;
-- Disclosure of information that does not present a significant security risk;
-- Cross-Site Request Forgery (CSRF) with minimal impact;
-- General best practice concerns without a security impact;
-- Attacks requiring physical access to a user's device;
-- Missing email best practices and SSL/TLS misconfigurations;
-- Missing HttpOnly or Secure flags on cookies;
-- Public 0-day vulnerabilities that have been officially patched for less than one (1) month (considered on a case-by-case basis);
-- Email or username enumeration;
-- Self-XSS;
-- Lack of rate limiting on non-sensitive endpoints;
-- API key exposure without proven business impact;
-- Disclosure of WordPress usernames;
-- Self-XSS that cannot be used to exploit other users;
-- Verbose error messages, file or directory listings that do not expose sensitive information;
-- CORS misconfigurations on non-sensitive endpoints
-- Missing cookie flags
-- Missing security headers
-- Use of the autocomplete attribute on web forms
-- Reverse tabnabbing
-- Bypassing rate limits or absence of rate limits (without security impact)
-- Best practice violations (e.g., password complexity, expiration, or reuse policies)
-- Clickjacking without demonstrated impact or requiring unrealistic user interaction
-- CSV injection
-- Sessions not being invalidated on logout or enabling 2FA (without proven risk)
-- Tokens leaked to third parties via referrer headers (without unauthorized access)
-- Email spoofing, SPF, DKIM, or DMARC misconfiguration
-- Content injection that does not allow modification of HTML
-- Username or email enumeration
-- Email bombing
-- HTTP request smuggling without proven impact
-- Homograph attacks
-- XML-RPC enabled
-- Banner grabbing or version disclosure
-- Same-site scripting
-- Subdomain takeover claims without successful takeover
-- Arbitrary file upload without evidence of the file being retrievable or executable
-- Blind SSRF without demonstrated impact (e.g., pingbacks alone are insufficient)
-- Disclosure or misconfiguration of Google Maps API keys
-- Host header injection without proven business impact
4 .1 If you believe you have identified a Vulnerability that meets the applicable requirements set forth in the Terms, you may submit it to Livspace through the process described herein.
4 .2 Subject to Clause 3 of the Terms, each Vulnerability submitted to Livspace shall be a "Submission". Submissions must be sent to security@livspace.com. In the initial email, please specify the Vulnerability details, and specific product version numbers you used to validate your research. Please also include as much of the following information as possible:
-- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
-- Product and version that contains the bug, or URL if for an online service
-- Service packs, security updates, or other updates for the product you have installed
-- Any special configuration required to reproduce the issue
-- Step-by-step instructions to reproduce the issue on a fresh install
-- Proof-of-concept or exploit code
-- Impact of the issue, including how an attacker could exploit the issue
Those Submissions that do not meet the minimum bar described above are considered incomplete. Livspace is not responsible for Submissions that we do not receive for any reason. If you do not receive a confirmation email after making your Submission, notify Livspace at security@livspace.com to ensure your Submission was received. There are no restrictions on the number of qualified Submissions you can provide.
5 .1 Livspace is not claiming any ownership rights to your Submission. However, by providing any Submission to Livspace, you:
5.1.1 grant Livspace the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);
5.1.2 agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
5.1.3 understand and acknowledge that Livspace may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;
5.1.4 understand that you are not guaranteed any compensation or credit for use of your Submission; and
5.1.5 represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to Livspace.
6.1 At Livspace, the security and trust of our customers remain our highest priority. We are committed to reviewing and addressing reported vulnerabilities diligently. All Submissions made under this Program must remain strictly confidential. You are not permitted to share, publish, or discuss the details of any vulnerability with any third party including but not limited to media outlets, security blogs, conferences, academic publications, or online platforms prior to Livspace confirming that the issue has been fully resolved.
6.2 If you inadvertently cause a privacy violation or disruption in the absence of any malicious intention (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this immediately to Livspace.
6.3 Any exploitation of identified vulnerabilities for unlawful gain, unauthorized access to restricted customer or system information, impairment of Livspace’s systems, violation of Program guidelines, or breach of confidentiality obligations may result in disqualification from the Program and will be subject to appropriate legal action.
6.4 You are not permitted to disclose any identified vulnerability through public channels until it has been resolved by Livspace.
6.5 You shall not independently develop, or have developed on your behalf, any products, concepts, systems, or techniques that are similar to or in competition with those contemplated under this Program. Any such development will be deemed a violation of your obligations under these Terms.
6.6 Upon Livspace’s request at any time, you shall promptly return or ensure the return of all confidential information to Livspace. This includes, without limitation, all materials, documents, copies, summaries, notes, and any analyses, compilations, studies, or other documents—whether in physical or electronic form—that contain or reflect any part of the confidential information. You may also be required to provide written certification confirming such return or destruction.
6.7 You acknowledge that any unauthorised use or disclosure of Livspace’s confidential information would cause Livspace grave and irreparable harm, the extent of which would be difficult to quantify. Accordingly, Livspace shall be entitled, without the requirement to post any bond or other security, to seek and obtain from any court of competent jurisdiction specific performance, temporary or permanent injunctive relief, or any other equitable remedy necessary to prevent or restrain such breach. These equitable remedies are in addition to, and not in lieu of, any other rights or remedies available to Livspace at law. You expressly waive any defence that monetary damages would be an adequate remedy.
6.8 ANY BREACH OF THIS CONFIDENTIALITY OBLIGATION SUCH AS PREMATURE DISCLOSURE OF THE REPORTED VULNERABILITY OR ATTEMPTS TO ENFORCE TIMELINES MAY RESULT IN LIVSPACE REFUSING TO ACKNOWLEDGE THE SUBMISSION AND DISQUALIFYING THE PARTICIPANT FROM ANY FUTURE ENGAGEMENT UNDER THIS PROGRAM.
7.1 Once a submission is received by Livspace in accordance with Clause 5, we will review the reported vulnerability to assess its validity, severity, and eligibility under this Program. The review timeline may vary depending on the complexity and completeness of the submission, as well as the volume of reports received at the time.
7.2 Livspace retains sole discretion in determining whether a Submission qualifies as a valid and eligible Vulnerability under this Program. In cases where multiple reports are submitted for the same Vulnerability, Livspace will consider the first complete and eligible report as the original Submission.
7.3 If a duplicate report provides significant additional information that materially improves our understanding of the issue or assists in remediation, Livspace may, at its discretion, acknowledge the contribution of the reporter of the duplicate submission separately. However, final determinations regarding submission validity, completeness, and recognition rest solely with Livspace.
8.1 Please review Livspace's privacy policy to understand how we collect, use, and protect your personal information submitted in connection with this Program.
9.1 Livspace may publicly recognize individuals who have made valid Submissions. Livspace at its discretion may recognize you on web properties or other printed materials unless you explicitly ask us not to include your name.
10.1 By participating in the Program, you will follow these rules:
-- Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages
-- Don’t do anything illegal
-- Don't engage in any activity that exploits, harms, or threatens to harm children
-- Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity)
-- Don't engage in activity that is false or misleading
-- Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others)
-- Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others
-- Don't help others break these rules
10.2 If you violate these Terms, you may be prohibited from participating in the Program in the future.
11.1 LIVSPACE, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR APPLICABLE LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.
12.1 These Terms shall be governed by and construed in accordance with the laws of India, without reference to its conflict of laws principles. Any disputes and/or differences arising out of or in connection with this Program shall be subject to the exclusive jurisdiction of the courts located in Bengaluru, Karnataka.
13.1 These Terms, together with Livspace’s privacy policy, constitute the entire agreement between you and Livspace with respect to your participation in the Program, and supersede any prior communications or agreements related to the same. Each provision of these Terms shall apply to the fullest extent permitted under applicable law. If any provision is found to be unenforceable by a court of competent jurisdiction, that provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.
14.1 Users shall not commit any act of bribery or corruption, including directly or indirectly give, make, offer or receive or agree to make any payments, contributions, gifts, entertainment or other advantages for the purpose of obtaining or retaining business which a reasonable person would consider to be unethical, illegal or improper, or which is in violation of any anti-bribery or anti-corruption laws and regulations. A violation of this provision will result in immediate termination of your access to or use of the Program.
BY PARTICIPATING IN THIS PROGRAM AND SUBMITTING REPORTS, YOU AGREE TO BE BOUND BY THESE TERMS.
Livspace recognises the following researchers who have discovered security vulnerabilities and made our product more secure for everyone.