LGTM is a code analysis platform for development teams to identify vulnerabilities early and prevent them from reaching production. It uses CodeQL which works by retrieving source code from version control systems, building it with custom tooling, and creating analysis results.

LGTM uses Docker containers to isolate the build and analysis environment from the rest of the infrastructure. By nature this environment permits arbitrary code execution by any registered user, so the quality of isolation is a critical part of the security model. The public site includes two user types (user and admin user) as well as anonymous access.

Focus areas

Note: there is no need to request a sign-up, you may self-register accounts.

Out of scope

Ineligible submissions

Code execution in the LGTM worker sandbox

The LGTM worker sandbox is designed to execute arbitrary code. The sandbox is designed to execute untrusted code and prevent access to private networked resources or other users’ data. Escaping the sandbox to access private networked resources or other user’s data is a vulnerability and eligible for reward.

Exfiltrating Semmle command line tools

Vulnerabilities which allow attackers to exfiltrate the Semmle command line tools are ineligible for rewards. This includes tools used to analyze source code and any other files that are intentionally made available to builds.

Denial of service and resource exhaustion

Denial of service attacks which involve exhaustion of resources, such as adding a large number of projects, adding a project with a large number of commits or running a large number of queries are ineligible for rewards. Vulnerabilities allowing LGTM to send large numbers of emails are also ineligible.

Email address enumeration

Vulnerabilities which allow attackers to enumerate email address are ineligible for rewards.

Lack of security-relevant emails

Lack of emails being sent out when a security-relevant event, such a password reset, occurs is ineligible for rewards.

Submit a vulnerability for LGTM

Recently collected LGTM bounties:

No vulnerabilities have been reported yet. Yours can be the first!