Document toolboxDocument toolbox

Lucidity Vulnerability Disclosure Policy

Owned by Tristan Kenney (Unlicensed)
Last updated: Nov 17, 2016
2 min read

At Lucidity we take security issues very seriously, and recognise the importance of privacy and data integrity to our users. Given this, we strive to provide responsible disclosure to our customers or vendors where affected by security vulnerabilities.

Reporting Security Issues

If you believe you have discovered a vulnerability in a Lucidity product or have a security incident to report, please contact security@luciditysoftware.com.au 

Responsible Disclosure Guidelines

  • Notify Lucidity and provide us details of the vulnerability. Please provide us a reasonable time period to address the issue before public disclosure.
  • Provide an appropriate level of detail on the vulnerability to allow us to identify and reproduce the issue. Detail should include target URLs, request/response pairs, screenshots, and/or other information.
  • We will confirm your email and evaluate the validity and reproducibility of the issue. For valid issues, we will work to fix the issue and endeavour to keep you appraised of progress.
  • You make every effort to avoid privacy violations and disruptions to other users, including destruction of data or interruptions or degradations of our services.
  • You do not exploit a security issue you discover. 

Bug Bounty Program Terms

We recognise and reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Lucidity's discretion, based on risk, impact, and other factors. To potentially qualify for a bounty, you first need to meet the following requirements:

  • Adhere to our Responsible Disclosure Policy (see above).
  • Report a bug that is a security issue. Not all bugs are considered security issues, and Lucidity reserves the right to determine what constitutes a potential security vulnerability  
  • Your report falls within the accepted scope (as defined in Bug Bounty Scope)
  • If you inadvertently cause a privacy violation or service disruption, (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.
  • We determine bug bounty amounts based on a number of factors, including the ease of exploit, potential risk and other factors that Lucidity considers relevant.
  • In the event of a duplicate report, the first reporter of the issue will be awarded the bug bounty.  

Bug Bounty Scope

The following domains are included:

  • *.integralcs.com 
  • *.luciditysoftware.com.au


The following domains are excluded:

  • *.ourintranet.net
  • *.intranet.integralcs.com
  • cruse.com.au
  • luciditysoftware.com.au