Vulnerability Disclosure Policy

Responsible Disclosure

We appreciate your help and dedication to securing Listrak services. Listrak acknowledges the importance of privacy, security and community outreach. As such, we are committed to verifying and addressing security issues through a coordinated and constructive approach designed to drive the greatest protection for technology users. 

Whether you are a Listrak client, consumer, a Listrak vendor, or simply a security enthusiast, you are an important part of this process. Accordingly, we encourage responsible reporting of any confirmed or potential vulnerabilities found within our platform or services.

Reporting Security or Privacy Issues

If you believe that you have found a vulnerability in the Listrak platform or within a Listrak integration, share the details of your discovery privately, including steps to reproduce the issue with Listrak’s Information Security Department at security@listrak.com

When properly notified of legitimate issues, we will do our best to acknowledge your emailed report, assign resources to investigate and confirm the issue, address potential problems as appropriate for the assessed risk, and notify you upon resolution. Listrak requests the reporter keep any communications regarding the vulnerability confidential. NOTE: Monetary rewards are not guaranteed for validated submissions.

Testing for Security Vulnerabilities

Examples of encouraged submission types include:

  • OWASP Top 10
  • Authorization / authentication issues
  • Information disclosure
  • Business logic / process vulnerabilities

Listrak prohibits assessments involving automated scanning tools and any of the following: 

  • Social engineering 
  • Physical security attacks 
  • Tests against clients, partners, or any other third party 
  • Actions that may degrade performance or availability of Listrak services, such as Denial of Service and Brute Force
  • Attempting to access or modify information that does not belong to you 
  • Actions that may violate laws or constitute a breach of any contract 
  • Compounding or creating new vulnerabilities/weaknesses 
  • Anything that helps to maintain a foothold and evade detection