Responsible Disclosure

Lake Michigan Credit Union takes information security seriously and is dedicated to protecting the security of our systems and data. We value the input of security researchers in helping to improve our security posture. If you believe you've found a security issue in one of our applications or systems, please notify us by submitting a report following the guidelines outlined below.

Eligibility

  • You agree that all testing and research activities will comply with all applicable Federal, State, and local law.
  • You agree that you are acting in your own individual capacity and not on behalf of another company with whom you are employed or have otherwise been retained.
  • You are not a current or former employee of Lake Michigan Credit Union or any of its affiliates.

Guidelines

  • Please review and follow the guidelines listed below prior to conducting testing and reporting potential security issues to Lake Michigan Credit Union's Vulnerability Disclosure Program.
  • Your vulnerability report must meet all of HackerOne's© Vulnerability Disclosure Guidelines.
  • Please document your findings and provide steps to reproduce in your submission.
  • Do not perform any activities that could cause harm, disruption, or permanent modifications to LMCU systems.
  • Do not exfiltrate or share any LMCU data with other parties.
  • Do not engage in any activity that violates federal, state, local, or international laws or regulations.
  • Any testing or reporting you undertake constitutes your agreement to all terms and conditions of the program.
  • By providing a Submission or agreeing to the Program Terms, you agree that you may not publicly disclose your findings or the contents of your Submission to any third parties outside of the terms of the Vulnerability Disclosure Program.
  • Lake Michigan Credit Union will not be publicly disclosing reports at this time. If and when Lake Michigan Credit Union discloses a report, it will be mutually agreed upon with the Vulnerability Disclosure Program participant.
  • Lake Michigan Credit Union reserves the right to deny any request for public disclosure.

For more information on HackerOne Vulnerability Disclosure Guidelines please visit HackerOne's Guidelines.

Scope

Domains where Lake Michigan Credit Union is listed as the Registrant Organization, Admin Organization, or Tech Organization are in scope. Domains maintained by third parties, other than Lake Michigan Credit Union, are not in scope for this program. Vulnerabilities in scope include vulnerabilities with a confirmed security impact and can typically include the following types of issues:

  • Cross-site Scripting (XSS).
  • Cross-site Request Forgery (CSRF).
  • Server-Side Request Forgery (SSRF).
  • SQL Injection.
  • Remote Code Execution (RCE).
  • XML External Entity Attacks (XXE).
  • Access Control Issues (Insecure Direct Object Reference issues, etc.).
  • Exposed Administrative Panels that without strong protection.
  • Directory Traversal Issues.
  • Local File Disclosure (LFD).
  • Vast Users' Sensitive Information Leakage.
  • Known vulnerability in unpatched software (usually third party) with working proof of concept.
  • The following vulnerability types are welcomed for submission but will be considered informative:
    • Leaked credentials already known to LMCU's monitoring solutions.

Keep in mind that we are not able to authorize security research on third-party infrastructure, and a third party is not bound by this safe harbor statement.

Legal

You must comply with security industry best practices, and all applicable Federal, State, and local laws in connection with your participation in this vulnerability disclosure program. You agree that any and all information acquired or accessed as part of this exercise is confidential to Lake Michigan Credit Union and you shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose such information, including vulnerability details, to third parties or use such information for any purposes other than for the performance of your work or expressly authorized in writing by Lake Michigan Credit Union. You acknowledge and agree that all information you encounter is owned by Lake Michigan Credit Union or its third-party providers, clients, or customers. You have no rights, title, or ownership to any information that you may encounter. All ownership rights in Lake Michigan Credit Union branded sites listed as in Scope for this program are retained by Lake Michigan Credit Union, its Affiliates and their licensors, and protected under applicable copyrights, trademarks and other proprietary rights (including intellectual property). Nothing in these Terms will be construed as creating a joint venture, partnership, employment, or agency relationship between you and Lake Michigan Credit Union, and you do not have any authority to create any obligation or make any representation on Lake Michigan Credit Unions' behalf.

Lake Michigan Credit Union may modify the terms of this policy or terminate it at any time.