If you identify a security vulnerability on www.leopump.store, we urge you to contact us immediately. We take all legitimate vulnerability reports seriously and will strive to resolve issues swiftly. Before reporting, please review this document, including our principles, bounty program, reward guidelines, and what should not be reported, to ensure a smooth process for protecting our customers shopping for lawn mowers, riding mowers, garden pumps, and home tools.

Principles

When reporting a security issue to LEO Store, if you follow these principles, we will not initiate legal action or an enforcement investigation against you in response to your report. We request that you:

  1. Provide us with a reasonable time to evaluate and fix the reported issue before disclosing any details publicly or sharing with others.
  2. Avoid accessing or modifying data in individual accounts without the explicit consent of the account owner.
  3. Act in good faith to prevent privacy violations and disruptions, such as data destruction or degradation of our services for LEO products.
  4. Do not exploit any discovered security issue for any purpose, including demonstrating additional risks or searching for further vulnerabilities.
  5. Adhere to all relevant laws and regulations.

Bounty Program

We appreciate and reward security researchers who help us protect our customers by reporting vulnerabilities in our services. Monetary bounties for such reports are at the sole discretion of LEO Store, based on factors like risk and impact. To be eligible for a potential bounty, you must meet these requirements:

  1. Adhere to our principles (see above).
  2. Report a security vulnerability that poses a genuine security or privacy risk to our services or infrastructure for lawn care products. (LEO Store determines the risk level, and not all bugs qualify as security issues.)
  3. Submit your report through our security contact channels. Do not contact employees directly.
  4. If you unintentionally cause a privacy violation or disruption (e.g., accessing account data or confidential information) while investigating, disclose this in your report.
  5. We investigate and respond to all valid reports, but due to volume, responses may take time, with priority given based on risk and other factors.
  6. We reserve the right to publish reports.

Rewards

Our rewards are determined by the impact of the vulnerability. We may update this program based on feedback, so please share suggestions to improve it.

  1. Submit detailed reports with reproducible steps. Reports lacking sufficient detail to reproduce the issue will not be eligible for a bounty.
  2. In case of duplicate reports, we award the first report that we can fully reproduce.
  3. Multiple vulnerabilities stemming from a single underlying issue will receive one bounty.
  4. Bounty amounts are based on factors such as impact, ease of exploitation, and report quality, at our discretion.
  5. The amounts below are the maximum we will pay per severity level, and all rewards are at our discretion.
  • Critical Severity Vulnerabilities ($200): Issues causing privilege escalation from unprivileged to admin, remote code execution, financial theft, etc.
    Examples:
    • Remote Code Execution
    • Remote Shell/Command Execution
    • Vertical Authentication Bypass
    • SQL Injection leaking targeted data
    • Full account access
  • High Severity Vulnerabilities ($100): Issues affecting platform security or its processes.
    Examples:
    • Lateral Authentication Bypass
    • Disclosure of sensitive company information
    • Stored XSS for another user
    • Local File Inclusion
    • Insecure handling of authentication cookies
  • Medium Severity Vulnerabilities ($50): Issues affecting multiple users with minimal interaction required.
    Examples:
    • Common logic design flaws or business process defects
    • Insecure Object References
  • Low Severity Vulnerabilities: Issues affecting single users, requiring interaction or significant prerequisites (e.g., MITM).
    Examples:
    • Open Redirect
    • Reflective XSS
    • Low-sensitivity information leaks

Contact Us

For security vulnerability reports or inquiries about your LEO products, our support team is available 24/7:

  • Phone: +1 (202) 6448-268
  • Email: Contact@leopump.store
  • Address: 1219 Carrollsburg Pl SW, Washington, District of Columbia 20024

Thank you for helping us keep LEO Store secure for customers shopping for lawn mowers, riding mowers, garden pumps, and home tools.