Skip to main content
At Loops, we care deeply about the safety and security of our customers’ data and our systems. We welcome security and vulnerability reports as part of our commitment to providing the most secure product possible.

Making a report

If you’ve read this document and discovered an issue that you believe is in-scope, please email us at security@loops.so. Please include the following details:
  • A clear summary of the issue and its potential impact.
  • Detailed steps to reproduce the issue.
  • Relevant environmental details (browser, OS, version numbers, etc.).
  • Any proof-of-concept code that demonstrates the vulnerability, if available.
Our security team will review your report and keep you updated on our progress, requesting additional information or clarification when needed. We believe that vulnerability reporting creates a safer, better product for our customers. As such, we offer compensation for reports with a CVSS score of 4 or higher.

Timelines

We’ll get back to you within a few days to acknowledge your report.

What we’re most interested in

  • Authentication bypass and privilege escalation.
  • Exposure of personally identifiable information (PII).
  • Unauthenticated access to user data (outside of intentionally public data).

In scope

Out of scope

  • Automated scanning.
  • Social engineering.
  • Denial of Service attacks.
  • Attacks that need physical access to someone’s computer.
  • Theoretical attacks you can’t actually exploit.
  • Man-in-the-middle attacks.
  • Clickjacking or UI redress attacks.
  • CSV injection (unless it can harm non-Loops users).
  • HTML injection (unless it can harm non-Loops users).
  • Missing security headers, weak TLS cipher suites, or DNS setup issues. We might find these informative, but they probably won’t earn a bounty.

Please be considerate while investigating

  • Only test with your own account (or get permission from the account owner first).
  • Don’t modify, delete, or store private data that isn’t yours.
  • Avoid anything that might break or slow down our services.
  • If you get remote access to our systems, don’t try to expand or elevate your access.

Safe harbor

Any activities conducted in a manner consistent with this document will be considered authorized and Loops will not initiate legal action against you.