Responsible Disclosure Policy

Responsible Disclosure Policy

letgo aims to keep its services safe for everyone, and we consider the security of our systems a top priority. We value the security community and believe that a responsible disclosure of security vulnerabilities helps us ensure the security and privacy of the users. If you have discovered a security vulnerability in our app or website, we appreciate your help in disclosing it to us in a responsible manner. Any vulnerability reported to us in good faith will not be penalized.

We ask that you:
  • Report vulnerabilities expediently, to reduce the risk of malicious actors finding and exploiting them.
  • Report vulnerabilities with sufficient detail so that we may reproduce them.

On the other hand, we ask that you please do not do the following:
  • Do not disclose vulnerabilities to others.
  • Do not exploit vulnerabilities any further than necessary than to prove its existence.
  • Do not access, alter or download data belonging to legitimate users of the site.
  • Do not perform any activity that could lead to the disruption of our service (DoS/DDoS).
  • Do not test in a manner that would result in the sending unsolicited or unauthorized junk mail or unsolicited messages
  • Do not test third-party applications or services that are integrated with letgo.
  • Do not perform social engineering attacks.

If we believe your report to be valid and require further detail, we may contact you using the email address that you may have shared in the form. Our responsible disclosure process is hosted by Bugcrowd.  If you already have an account on BugCrowd under that email, we will be able to communicate and work together on that platform.