Bring voice conversations to digital for faster, more efficient, and personalized customer experiences.

Register now

Vulnerability Disclosure Policy

Introduction

LivePerson is committed to protecting the confidentiality, integrity, and availability of client and consumer data. We value the members of the independent security research community who find security vulnerabilities and work with us to report and address them so that effective security fixes can be developed and deployed to all customers. For this reason, we conduct this Vulnerability Disclosure Program (“Program”) in order to give security researchers clear guidelines for conducting vulnerability discovery activities and submitting discovered vulnerabilities to us.

Expectations

In executing this Program, you can expect us to:

  • promptly acknowledge receipt of your submissions under this Program;
  • work with you to understand and validate your report, and inform you within 10 days whether the submission is accepted or rejected;
  • work to remediate validated vulnerabilities in a timely manner and keep you updated on our progress;
  • recognize your contribution to our security posture if you are the first to report a unique and significant vulnerability; and
  • extend “Safe Harbor” protection (as described below) for good faith activities in compliance with this Program.

As a participant in this Program, we expect you to:

  • operate in good faith, never intentionally viewing, storing, modifying, or destroying data that does not belong to you, and refrain from any extortionate behavior;
  • perform testing only on in-scope programs (as described below);
  • identify and promptly report issues to us as soon as possible after you discover them, without negatively impacting LivePerson’s customers or services, and communicate about issues only in accordance with this Program;
  • maintain the confidentiality of all information related to your findings; and
  • provide sufficient details for the vulnerability to be reproduced and be able to provide a log of all activity related to your discovery, including your IP address(es) and timestamped requests to aid us in validation and investigation.

Program Rules

As part of your participation in this program, you agree to honor the following rules:

  1. Do not perform denial of service attacks, or any attacks that have a reasonable chance of degrading service or customer experience.
  2. Do not intentionally view, store, transfer, modify, or destroy data that does not belong to you, and inform us if you have inadvertently accessed or viewed such data.
  3. Do not use tools which automate exploit payloads.
  4. Do not engage in phishing attacks or other forms of social engineering.
  5. Use only disclosures@liveperson.com to submit vulnerability information to us. A LivePerson employee will contact you via an alternate address to which you may direct continued communications after your initial report.
  6. Only perform testing on in-scope systems and services (see below).
  7. Maintain the confidentiality of all information related to your findings and refrain from public disclosure for a reasonable period of time until we have implemented a fix. Usually, we expect this will be less than 45 days, but in exceptional cases, it may take longer than 45 days to implement a fix. 

In-scope and Out-of-Scope Systems and Services

In scope systems and services include the following:

  • *.liveperson.com
  • *.liveperson.net

Vulnerabilities found in systems from our vendors fall outside of this Program’s scope and should be reported directly to the vendor according to their Disclosure Policy (if any).

If you aren’t sure whether a system is in scope or not, contact us at disclosures@liveperson.com before starting your research. Though we develop and maintain other internet-accessible systems and services, it is our desire and expectation that active research and testing will only be conducted on the systems and services covered by the scope described above. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first and we may add it to the above list.

Recognition & Rewards

LivePerson may offer recognition for vulnerability reports that have a significant business impact on our customers, products, or services. Recognition may include LivePerson merchandise, listing in a LivePerson security hall of fame, social media acknowledgement, gifts, or, in an exceptional case, a monetary reward through our managed Bug Bounty Program and platform (see https://www.intigriti.com/ for more information) if you are notified of eligibility and follow our instructions to register there. The eligibility of a researcher to receive recognition under this Program is entirely at our discretion and is highly dependent upon the sensitivity of the affected information, the severity of the issue and the conduct of the researcher. Please note that it is common in our industry for there to be no recognition given if a bug is of little significance to a company’s security posture. The following are some examples of findings that ordinarily would not qualify for recognition or rewards:

  • UI and UX bugs and spelling mistakes; 
  • TLS/SSL related issues; 
  • SPF, DMARC, DKIM configurations; 
  • Vulnerabilities due to out of date browsers or plugins;
  • Lack of secure flag on cookies;
  • Issues that involve a malicious installed application on the device;
  • Vulnerabilities requiring a jailbroken device;
  • Use of a known-vulnerable library without proof of exploitability;
  • Distributed Denial of Service (DDOS) attacks or other brute force attacks;
  • Lack of session timeout;
  • CSV injection.

Assuming we determine that the issue in question is valid and significant, the following rules apply with respect to any recognition or reward:

  1. You must agree and adhere to the Program Rules above.
  2. You must follow the Reporting Guidelines below.
  3. You must be the first person to report the issue to us. We will review duplicate issues to see if they provide additional information, but otherwise only recognize the first reporter.
  4. You must be available to supply additional information as needed by our team to reproduce and triage the issue.
  5. If any recognition is provided, that will occur at the time we finalize a fix.
  6. Active and former LivePerson employees are not eligible for participation in this program.
  7. You must be 18 years or older and you must register as a researcher with our managed bug bounty program to be eligible for a monetary reward. Monetary rewards are paid only through our managed bug bounty program and platform (currently managed by Intigriti).

Reporting Guidelines

If you believe you’ve found a security issue in one of our products or services, please email us at disclosures@liveperson.com  and include the following details within your report:

  • Sufficient identifying and contact information to enable us to communicate with you;
  • A brief description of the issue and all instances or endpoints at which it is located;
  • Screenshots and/or videos demonstrating the issue;
  • Step-by-step instructions on how to reproduce the issue, including any exploit code;
  • Operating system and/or version information, if relevant.

In submitting your report, please do not upload screenshots, videos, or exploit code to a publicly accessible server/repository in preparation of your email, and please do not zip or archive your files.

Safe Harbor and Legal

Any activities conducted in good faith to comply with all guidelines of this Program will be considered authorized conduct and we will not initiate or recommend legal action against you for such conduct. If you submit a report through this Program which affects a third-party service, we will limit what we share with any affected third party. We may share non-identifying content from your report with an affected third party, but only after notifying you that we intend to do so and getting the third party’s written commitment that they will not pursue legal action against you or initiate contact with law enforcement based on your report. We will not share your identifying information with any affected third party without first getting your written permission to do so.

We reserve the right to modify the terms and conditions of this Program and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our Program terms and eligibility, which are effective upon posting. We reserve the right to cancel this Program at any time. Please contact us with any questions before engaging in any conduct that is unclear to you or is not addressed in the above terms.