lucca-bug-bounty-program

RawAI Enhanced

In Scope

Out of Scope

In-Scope Assets (30)

Asset	Category	Bounty	Quick Links
/lucca-api/*	URL	Yes	-
Absences	OTHER	Yes	-
Accounting Assistant	URL	Yes	-
Benefits	URL	Yes	-
Business Expense (beta)	URL	Yes	-
Compensation	OTHER	Yes	-
Core HR	OTHER	Yes	-
Engagement	URL	Yes	-
Expenses (not the beta version)	URL	Yes	-
Invoices	URL	Yes	-
Lucca (https://apps.apple.com/fr/app/lucca/id1575212411)	IOS	Yes	-
Lucca (https://play.google.com/store/apps/details?id=net.ilucca.timmi_pwa.twa)	ANDROID	Yes	-
Lucca - Note de frais (https://apps.apple.com/fr/app/lucca-notes-de-frais/id740679284)	IOS	Yes	-
Lucca - Note de frais (https://play.google.com/store/apps/details?id=fr.lucca.cleemy&hl=fr&pli=1)	ANDROID	Yes	-
Lucca Administration	OTHER	Yes	-
Lucca Analytics	URL	Yes	-
Lucca Client Center	OTHER	Yes	-
Lucca Home	OTHER	Yes	-
Lucca Shared Documents	URL	Yes	-
Lucca Whistleblowing	URL	Yes	-
Office	OTHER	Yes	-
Payroll Assistant	URL	Yes	-
Payslip	OTHER	Yes	-
Performance	URL	Yes	-
Projects	URL	Yes	-
Recruitment	URL	Yes	-
Special scenario (see description)	OTHER	Yes	-
Timesheet	URL	Yes	-
Training	OTHER	Yes	-
https://security{xxx}.ilucca.net/identity/	URL	Yes	-

Out-of-Scope Assets (8)

Asset	Category	Bounty
** All API V2 endpoints matching `/api/*` that use the `?fields` parameter are considered out of scope. We're already aware of a common issue affecting these endpoints and are actively working on a global fix. To avoid duplicates, please do not report issues related to these endpoints.	OTHER	Yes
** Cross Establishment issues on Accounting Assistant	OTHER	Yes
** Cross Establishment issues on Invoice	OTHER	Yes
** Cross Establishment issues on Timesheet.	OTHER	Yes
** Cross Establishments issues on Training.	OTHER	Yes
** HTML Injection without any impact.	OTHER	Yes
** XSS on Cleemy (Note de frais) legacy that require at least an account with manager privilege	OTHER	Yes
All domains or subdomains not folowing the pattern (security{XXX}) listed in the above list of 'Scopes'.	OTHER	Yes