LGTM is a code analysis platform for development teams to identify vulnerabilities early and prevent them from reaching production. It uses CodeQL which works by retrieving source code from version control systems, building it with custom tooling, and creating analysis results.
LGTM uses Docker containers to isolate the build and analysis environment from the rest of the infrastructure. By nature this environment permits arbitrary code execution by any registered user, so the quality of isolation is a critical part of the security model. The public site includes two user types (user and admin user) as well as anonymous access.
Due to the deprecation of LGTM.com, this target will soon become out-of-scope for the GitHub bug bounty program. If you’re currently working on any reports for this target, please ensure they are submitted before August 30th.
Thank you for the valuable and detailed reports for LGTM. We hope you’ll continue your security research on other GitHub products and services.
lgtm-com.pentesting.semmle.net is a dedicated instance of LGTM for your research. The following classes of vulnerabilities are typically eligible for reward:
Note: there is no need to request a sign-up, you may self-register accounts.
backend-dot-lgtm-penetration-testing.appspot.com is used for triggering automated tasks from other parts of the LGTM system. It does not provide a user interface.
lgtm.com is out of scope and not eligible for bounties.The LGTM worker sandbox is designed to execute arbitrary code. The sandbox is designed to execute untrusted code and prevent access to private networked resources or other users’ data. Escaping the sandbox to access private networked resources or other user’s data is a vulnerability and eligible for reward.
Vulnerabilities which allow attackers to exfiltrate the Semmle command line tools are ineligible for rewards. This includes tools used to analyze source code and any other files that are intentionally made available to builds.
Denial of service attacks which involve exhaustion of resources, such as adding a large number of projects, adding a project with a large number of commits or running a large number of queries are ineligible for rewards. Vulnerabilities allowing LGTM to send large numbers of emails are also ineligible.
Vulnerabilities which allow attackers to enumerate email address are ineligible for rewards.
Lack of emails being sent out when a security-relevant event, such a password reset, occurs is ineligible for rewards.