Reporting a Vulnerability
If you believe you've found a security vulnerability in Littlebird, please report it to security@littlebird.ai. Include a detailed description, reproduction steps, and any supporting evidence.
We will acknowledge receipt within 5 business days and aim to provide an initial assessment within 15 business days.
Scope
The following are in scope for this program:
- Littlebird Desktop application (macOS)
- Littlebird backend services (*.lilbird.co)
- Authentication and authorization flows
- Data handling and storage of user content
Out of Scope
The following are out of scope and will not be eligible for review:
- Third-party services or integrations that Littlebird uses (e.g., Auth0, Sentry, PostHog). Vulnerabilities in these services should be reported to the respective vendor
- Littlebird marketing pages and documentation sites (littlebird.ai)
- Issues found through automated scanning tools without a demonstrated proof of concept
Ineligible Findings
We follow HackerOne's Core Ineligible Findings as our baseline. In addition, the following are not eligible:
Attacks requiring local device access
- Vulnerabilities that require physical access to a user's device, or the ability to install and run software on a user's machine
- Reading process environment variables, memory, or files that require local access to the device, extraction of hardcoded keys or tokens from the application binary on a device you control
- Electron apps are plain-text JavaScript by design, and keys embedded in the client bundle are not treated as secrets
- Decryption of local config files using keys found in the binary (e.g.,
electron-store encryption is not a security boundary, per the library's own docs)
Write-only telemetry tokens
- Exposure of client-side ingest tokens for telemetry and analytics services (e.g., PostHog, Sentry, Axiom). These are write-only by design and shipping them in client apps is industry standard practice
Low-impact configuration issues
- Default Electron framework configurations (e.g.,
NSAllowsArbitraryLoads in Info.plist) when all production endpoints enforce TLS - Missing HTTP security headers, cookie flags, or Content-Security-Policy configurations without a demonstrated exploit
- SSL/TLS configuration preferences and missing certificate pinning without a demonstrated attack
- Software version or technology stack disclosure
Other exclusions
- Denial of Service (DoS/DDoS) attacks or resource exhaustion
- Social engineering or phishing attacks against Littlebird employees or users
- Brute force attacks against authentication endpoints
- Clickjacking and CSRF on pages without sensitive actions
- Content spoofing or text injection without demonstrated security impact
- Account or email enumeration
- Findings already publicly disclosed before giving us reasonable time to address them
Rules of Engagement
- Only test against your own account and data
- Do not access, modify, or delete data belonging to other users
- Do not disrupt Littlebird's services or degrade the experience for other users
- Do not perform denial of service testing
- Do not engage in social engineering against Littlebird staff or users
- Provide us reasonable time to address the issue before any public disclosure
Safe Harbor
If you conduct security research in accordance with this policy, we consider your activities to be authorized and will not pursue legal action against you. We ask that you act in good faith, avoid privacy violations, and work with us to resolve issues responsibly.
Recognition
We may offer recognition or compensation for valid, high-impact findings at our discretion. We will work with you directly to determine appropriate acknowledgment.
.svg)
