LGTM is a code analysis platform for development teams to identify vulnerabilities early and prevent them from reaching production. It uses CodeQL which works by retrieving source code from version control systems, building it with custom tooling, and creating analysis results.
LGTM uses Docker containers to isolate the build and analysis environment from the rest of the infrastructure. By nature this environment permits arbitrary code execution by any registered user, so the quality of isolation is a critical part of the security model. The public site includes two user types (user and admin user) as well as anonymous access.
lgtm-com.pentesting.semmle.netis a dedicated instance of LGTM for your research. The following classes of vulnerabilities are typically eligible for reward:
Note: there is no need to request a sign-up, you may self-register accounts.
backend-dot-lgtm-penetration-testing.appspot.com is used for triggering automated tasks from other parts of the LGTM system. It does not provide a user interface.
lgtm.comis out of scope and not eligible for bounties.
The LGTM worker sandbox is designed to execute arbitrary code. The sandbox is designed to execute untrusted code and prevent access to private networked resources or other users’ data. Escaping the sandbox to access private networked resources or other user’s data is a vulnerability and eligible for reward.
Vulnerabilities which allow attackers to exfiltrate the Semmle command line tools are ineligible for rewards. This includes tools used to analyze source code and any other files that are intentionally made available to builds.
Denial of service attacks which involve exhaustion of resources, such as adding a large number of projects, adding a project with a large number of commits or running a large number of queries are ineligble for rewards. Vulnerabilities allowing LGTM to send large numbers of emails are also ineligible.
Vulnerabilties which allow attackers to enumerate email address are ineligble for rewards.
Lack of emails being sent out when a security-relevant event, such a password reset, occurs is ineligible for rewards.