Notice: The bug bounty program is currently suspended!
If you as a Security Researcher found safety problems on our platform, we ask you to behave responsibly by sharing your information with us. If you have found security-related problems on our platform as Security-Researcher we ask you to handle responsible handling by providing your information.
We appreciate your work by paying a generous bug bounty (private LOVOO bug bounty) for all reports that follow our rules and thank you for making LOVOO safer!
You may not access any private data from other user accounts, download it or save it. We refer to all data that is only viewable for the respective user personally. Only interact with accounts that are yours or for which you have an explicit permission to use.
Any attacks, that target the availability or integrity of our services (e.g. destroy data, change data or delete data) are forbidden and not allowed. Any attacks that may compromise availability or integrity of our services (for example with automated vulnerability scans) are forbidden and not allowed. DDoS and spam attacks are not permitted.
Social engineering, phishing as well as any physical intervention with LOVOO property (like data center) is not permitted.
Attacks may not impede other users.
Problems from the report may not already be published or prepared to be published. We must be given 60 days to fix the problem (before public disclosure or disclosure to a third party). Please follow the basic principles of responsible disclosure.
All problems must be reproducible. All reports must contain instructions on the reproduction (proof of concept code, a clear request, e.g. HTTP call including request/response header and body).
The report has to refer to a problem that is in scope as well as covered in qualification.
Current or former employees of LOVOO, their legal representatives, their businesses or their relatives are excluded from participation. Underage persons may only participate with the consent of their legal representative.
The problem relates to one of the following domains: lovoo.com, www.lovoo.com, api.lovoo.com, api.gateway.lovoo.com.
The problem refers to the currently available version of our iOS or Android app or the website.
The problem relates to a service or a website operated by LOVOO.
The reported problem must not already be known or submitted to us by another person.
The problem has to be a risk which we do not accept.
Timing attacks, for example of the kind that allow to verify the existence of a user, are not included in the bug bounty program.
Attacks using brute force or problems that result from the use of brute force are not part of the program.
Problems that are identified on older mobile devices, operating systems or browsers are not part of the program.
The problem needs to be reproducible on the latest device, operating system and browser (without browser extensions).
If you want to contact us, you can reach us via vulnerability@lovoo.com. Please encrypt your mail with PGP/GPG (Key-ID:60195DC6).
Our fingerprint is: 3EE5 D572 4D6D 00E5 5C53 F8FD C406 FBF7 6019 5DC6
We thank all those for their hard work in helping to make us more secure.
If your name is on the list incorrectly or you feel you should be on the list please feel free to mail us.