Vulnerability Disclosure Program

LPL Financial takes information security seriously and is dedicated to protecting the security of our systems and data. We value the input of security researchers in helping to improve our security posture. If you believe you’ve found a security issue in one of our applications or systems, please notify us by submitting a report following the guidelines outlined below.

 

Eligibility

  • You agree that all testing and research activities will comply with all applicable Federal, State, and local laws.
  • You agree that you are acting in your own individual capacity and not on behalf of another company with whom you are employed or have otherwise been retained.
  • You are not a current or former employee of LPL Financial or any of its affiliates.

Guidelines

Please review and follow the guidelines listed below prior to conducting testing and reporting potential security issues to LPL Financials’ Vulnerability Disclosure Program.

  • Your vulnerability report must meet all of HackerOne’s Vulnerability Disclosure Guidelines.
  • Please document your findings and provide steps to reproduce in your submission.
  • Do not perform any activities that could cause harm, disruption, or permanent modifications to LPL systems.
  • Do not exfiltrate or share any LPL data with other parties.
  • Do not engage in any activity that violates federal, state, local, or international laws or regulations.
  • Any testing or reporting you undertake constitutes your agreement to all terms and conditions of the program.
  • By providing a Submission or agreeing to the Program Terms, you agree that you may not publicly disclose your findings or the contents of your Submission to any third parties outside of the terms of the Vulnerability Disclosure Program.
  • LPL Financial will not be publicly disclosing reports at this time. If and when LPL Financial discloses a report, it will be mutually agreed upon with the Vulnerability Disclosure Program participant.
  • LPL Financial reserves the right to deny any request for public disclosure.

Scope

Domains where LPL Financial is listed as the Registrant Organization, Admin Organization, or Tech Organization are in scope. Domains maintained by third parties, other than LPL Financial, are not in scope for this program. Vulnerabilities in scope

include vulnerabilities with a confirmed security impact and can typically include the following types of issues.

  • Cross-site Scripting (XSS).
  • Cross-site Request Forgery (CSRF).
  • Server-Side Request Forgery (SSRF).
  • SQL Injection.
  • Remote Code Execution (RCE).
  • XML External Entity Attacks (XXE).
  • Access Control Issues (Insecure Direct Object Reference issues, etc.).
  • Exposed Administrative Panels that without strong protection.
  • Directory Traversal Issues.
  • Local File Disclosure (LFD).
  • Vast Users’ Sensitive Information Leakage.
  • Known vulns in unpatched software (usually third party) with working proof of concept.

Out of Scope

The following vulnerability types are considered to be out-of-scope and are not eligible for the Vulnerability Disclosure Program:

  • Any activity that could lead to the disruption of our service (DoS, DDoS).
  • Brute-forcing of user credentials.
  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions including login/logout functionalities.
  • Attacks requiring physical access to a user's device.
  • Missing best practices including Content Security Policy and HttpOnly or Secure flags on cookies without demonstrating an exploitable vulnerability.
  • Information disclosure of non-sensitive information through error messages or response headers without demonstrating an exploitable vulnerability.
  • Username harvesting.
  • Open redirects unless a significant impact can be demonstrated.
  • Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.
  • Session timeout.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working proof of concept exploit.
  • Missing best practices in SSL/TLS configuration.
  • Social engineering of our employees or contractors, unless explicitly authorized.
  • Attacks against our physical facilities.
  • Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Thank you for helping keep our company and our users safe!

Legal

You must comply with security industry best practices, and all applicable Federal, State, and local laws in connection with your participation in this vulnerability disclosure program.

You agree that any and all information acquired or accessed as part of this exercise is confidential to LPL Financial and you shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose such information, including vulnerability details, to third parties or use such information for any purposes other than for the performance of your work or expressly authorized in writing by LPL Financial.

You acknowledge and agree that all information you encounter is owned by LPL Financial or its third-party providers, clients, or customers. You have no rights, title, or ownership to any information that you may encounter. All ownership rights in LPL branded sites listed as in Scope for this program are retained by LPL Financial, its Affiliates and their licensors, and protected under applicable copyrights, trademarks and other proprietary (including intellectual property).

Nothing in these Terms will be construed as creating a joint venture, partnership, employment, or agency relationship between you and LPL Financial, and you do not have any authority to create any obligation or make any representation on LPL Financials’ behalf.

LPL Financial may modify the terms of this policy or terminate it at any time.