If you believe you’ve found a security vulnerability in Loupely, the Loupely Lens extension, or any related infrastructure, report it to security@useloupely.com with the subject line Security Vulnerability Report.
Don’t file it as a public GitHub issue, post about it on social media, or discuss it in public before the issue has been resolved. Public disclosure before a fix is in place puts other users at risk.
What to include #
A description of the vulnerability, the component it affects (Loupely Chrome extension, WordPress Plugin, the web application, backend API, or infrastructure), steps to reproduce, the potential impact if the vulnerability were exploited, and any proof-of-concept you’ve developed.
What to expect #
Reports are acknowledged within 48 hours. Loupely doesn’t have a formal bug bounty program at this stage. If a fix is deployed as a result of your report, you’ll be credited in the release notes if you want to be.
If you want to encrypt your report, contact security@useloupely.com to request a PGP public key before sending.