Vulnerability Disclosure Policy and Bounty Program

As a provider of legal data and services, Free Law Project takes seriously our responsibility to keep user information and systems safe and secure.

We want security researchers to feel comfortable reporting vulnerabilities they've discovered. This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Guidelines

For this policy to apply, we require that you:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

• Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems. Once you've established that a vulnerability exists, or encountered any of the sensitive data outlined below, you must stop your test and notify us immediately.

• Keep confidential any information about discovered vulnerabilities for up to 90 calendar days after you have notified Free Law Project. For details, please review Coordinated Disclosure.

Scope

This policy applies to the following systems:

• The RECAP Extensions

• courtlistener.com and related services such as its API or alerts

• Our Data Replication System

• free.law

• bots.law

• Non-public data on public third-party services — Free Law Project utilizes a number of third-party services to support its work model. While non-public data published publicly on those services is in scope, testing those services is not in scope.

Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. If you aren't sure whether a system or endpoint is in scope or not, contact us at security@free.law before starting your research.

Some of these systems may be eligible for small bounties.

The following test types are not authorized as part of this policy:

• Network denial of service (DoS or DDoS) tests.
• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.

If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately:

• Personally identifiable information
• Financial information (e.g. credit card or bank account numbers)
• Proprietary information or trade secrets of companies of any party

The following security enhancements are not currently planned:

• DNSSEC

Authorization

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Reporting a Vulnerability

Please submit vulnerabilities to security@free.law. Reports may be submitted anonymously.

Reports should include:

• Description of the location and potential impact of the vulnerability.

• A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.

• Any technical information and related materials we would need to reproduce the issue.

Please keep your vulnerability reports current by sending us any new information as it becomes available.

We may share your vulnerability reports with US-CERT, as well as any affected vendors or open source projects.

Coordinated Disclosure

Free Law Project is committed to patching vulnerabilities within 90 days or less, and disclosing the details of those vulnerabilities when patches are published. We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other's mistakes.

At the same time, we believe that disclosure in absence of a readily available patch tends to increase risk rather than reduce it, and so we ask that you refrain from sharing your report with others while we work on our patch. If you believe there are others that should be informed of your report before the patch is available, please let us know so we can make arrangements.

We may want to coordinate an advisory with you to be published simultaneously with the patch, but you are also welcome to self-disclose if you prefer. By default, we prefer to disclose everything, but we will never publish information about you or our communications with you without your permission. In some cases, we may also have some sensitive information that should be redacted, and so please check with us before self-disclosing.

Bounty Program

Not all reported issues may qualify for a reward. Rewards are awarded at Free Law Project's sole discretion. As a small nonprofit we are unable to afford cash bounties (sorry!), but can offer non-cash rewards, including:

• Public acknowledgement
• Free Law Project stickers, shirts, etc. (for U.S. residents only, sorry)
• Complimentary Free Law Project services
• Opportunities to meet with Free Law Project staff
• Complimentary tickets to Free Law Project events

If you would like a particular reward, please let us know when you report the vulnerability. While the reward Free Law Project provides in exchange for disclosing a vulnerability under this policy will be up to the sole discretion of Free Law Project, we will certainly take your request into consideration.

Please note that in some cases we will be unable to provide a physical reward if the shipping cost is prohibitively expensive, or if we have had difficulties shipping to your area before.

Only the first report we receive about a given vulnerability will be rewarded. We cannot send rewards where prohibited by law (i.e. North Korea, Cuba, etc.).

Policy History

The complete history of this document, including unofficial edits, can be found online in our repository for this website. The official versions and their notes are noted below.

2019-07-25 — First version published, pulling heavily from the 18F VDP, the Electronic Frontier Foundation bounty program, and disclose.io. Thank you for your leadership!

Public Acknowledgements

We thank the following individuals for their assistance reporting and fixing vulnerabilities in our systems:

• Django Admin not Ratelimited (Mat Shuke, 2022-08-09) CourtListener
• Ratelimiters broken after move to CDN (Raju Basak, 2022-06-30) CourtListener
• Matomo listing all installed dependencies (Harinder Singh, 2021-11-02) matomo
• Open redirect with newline-separated scheme (Agung Saputra, Michael Lissner, 2021-03-15) CourtListener python
• Password policy allows usernames to match email address (Chirag Agrawal, 2020-12-15) CourtListener Django
• Absence of (mostly-obsolete) X-XSS-Protection header on free.law (Kinshuk Kumar, 2020-12-08) Free.law
• Absence of throttling on password change page (Mohsin Ali, 2020-12-09) CourtListener
• Session availability after account deletion (Mohd Asif Khan, 2020-12-03) CourtListener
• Weak password policy allowed insufficient passwords (Shubham Panchal, 2020-12-02) CourtListener
• Incorrect scheme sent to proxy (Muskan Shaikh, 2020-12-01) CourtListener
• Absence of throttling on login page (Elumalai Vasan, 2020-07-13) CourtListener
• Referer header leakage via social links (Deepakkumar Gupta, 2020-04-27) CourtListener
• Absence of throttling on forgot password page (Priya More, 2020-03-12) CourtListener
• XSS attack in registration flow (Vishal Bharad, 2020-01-22) CourtListener
• Subdomain takeover attack at mail.courtlistener.com (Ratnadip Gajbhiye, 2019-10-09) flp
• Open redirect on successful registration (Ankit Thakur, 2019-10-01) CourtListener