Bounty Hunter

I welcome security researchers to help identify vulnerabilities in LAPLACE Login Sync. Valid reports may receive rewards up to $2,333 based on severity. Submit clear, reproducible PoCs and allow 90 days for remediation.

General Requirements

• Valid security vulnerabilities only; no spam, phishing, or social engineering reports
• Vulnerabilities must be reproducible with clear PoC
• Report must include step-by-step reproduction instructions
• One vulnerability per submission; do not chain multiple issues without prior approval
• First reporter of a valid vulnerability will be credited
• Reports must be in English or Chinese
• Do not publicly disclose vulnerabilities before patch is released
• Allow up to 90 days for vulnerability remediation
• Researchers must not access, modify, or delete user data during testing
• Do not perform denial-of-service (DoS) attacks
• Automated scanning tools are discouraged; manual testing preferred

Testing Requirements

• Focus areas: API endpoints security, server-side logic, browser extension functionality
• In-scope endpoints: /update, /get/:uuid, /remove
• In-scope components: Browser extension, sync server
• Test for: Authentication bypass, data leakage, injection vulnerabilities, access control issues
• Out of scope: Third-party dependencies (unless directly exploitable), rate limiting, UI/UX issues
• Out of scope: Self-XSS, logout CSRF, missing security headers without demonstrated impact
• Out of scope: Inherited cryptographic implementation from upstream CookieCloud project
• Server testing: Use provided test instance or self-hosted deployment

Possible Awards

• Recognition on public special thanks page
• Severity-based rewards:
  • Critical (RCE, data breach): up to $2,333
  • High (authentication bypass): up to $1,000
  • Medium (information disclosure): up to $500
  • Low (best practice violations): up to $100
• Bonus consideration for detailed remediation suggestions
• No rewards for duplicate reports or previously known issues
• Rewards issued within 30 days of vulnerability confirmation

Special Notes

• This is an open-source project forked from CookieCloud
• End-to-end encryption: Server never stores plaintext user data
• Cryptographic implementation (AES-256-CBC, EVP_BytesToKey) is inherited from upstream CookieCloud
• Crypto-related vulnerabilities should be reported to upstream project: https://github.com/easychen/CookieCloud
• I focus on implementation-specific issues unique to this fork
• Responsible disclosure required; coordinate with maintainers before any public discussion
• Contact: s@laplace.live