Vulnerability Disclosure Program

Last modified on August 15, 2023.

Life.Church is committed to maintaining the security of our systems and data. If you believe you have identified a potential security vulnerability, please share it with us by following the submission guidelines below.

Thank you in advance for your submission. We appreciate researchers assisting us in our security efforts.

For purposes of this program, “Life.Church” refers to Life.Church and its affiliates and subsidiaries, including but not limited to YouVersion.

Vulnerability Disclosure Program Guidelines

Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not engage in any activity that can potentially cause harm to Life.Church, our attendees, users, or our employees.
  • Once a vulnerability has been discovered, stop all related activity, and notify us immediately.
  • Provide Life.Church reasonable time to fix any reported issue before making any information public. 

Prohibited Actions

Security researchers are expected to act responsibly and cause no harm. The following actions are outside of the scope of this program and are strictly prohibited:

  • Phishing
  • Social engineering
  • Denial-of-service attacks
  • Resource exhaustion attacks
  • Any violation of Life.Church Privacy Policy
  • Testing of any third-party services
  • Use of any vulnerability to exfiltrate data, gain persistent command-line access or facilitate lateral movement within our systems

In-Scope Assets

  • *.life.church
  • *.youversion.com
  • *.bible.com
  • *.youversionapi.com

Out-of-Scope Vulnerabilities

The following vulnerabilities are out of scope and should not be submitted:

  • Theoretical vulnerabilities
  • WordPress Username Enumeration
  • Information related to server status
  • Enumeration of directories, files, or assets
  • Findings related to password strength
  • Login/Logout/Unauthenticated/Low-impact CSRF
  • Self-exploitation
  • Any service or libraries not directly hosted or controlled by Life.Church
  • Valid bugs or best-practice issues that are not directly related to the security posture of Life.Church

Submission Instructions

When reporting a potential vulnerability, please include a detailed summary, including the target, steps, tools, and artifacts used during the discovery. Submit your findings to cybersecurity@life.church.

As a nonprofit, Life.Church does not operate a public bug bounty program, and we make no offer of reward or compensation in exchange for submitting potential issues. Recognition in our “Public Acknowledgments” section will be given for vulnerability reports not currently known by us.

Disclaimers

Any good-faith activities conducted consistent with this program will be considered authorized conduct, and we will not initiate legal action against you. Life.Church reserves the right to change or cancel this program at any time.