Vulnerability Disclosure Program (VDP)

VDPs are meant for responsibly reporting vulnerabilities you encounter — not for actively hunting for fame or reputation. Even if you're just starting out, consider focusing on rewarded bug bounty programs instead.

lovable-vdp

HackerOneView on HackerOne

RawAI Enhanced

In Scope

Out of Scope

In-Scope Assets (4)

Asset	Category	Bounty	Quick Links
api.lovable.dev	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
lovable.dev	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
mcp.lovable.dev	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
oauth.lovable.dev	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa

Out-of-Scope Assets (1)

Asset	Category	Bounty
lovable.app	URL	No

Scope Changes (16)

May 11, 2026

Change	Asset	Category	Scope	Time
Added	mcp.lovable.dev	URL	In Scope	10:28
Added	mcp.lovable.dev	URL	In Scope	10:28

Apr 29, 2026

Change	Asset	Category	Scope	Time
Removed	auth.lovable.dev	URL	In Scope	10:28

Apr 28, 2026

Change	Asset	Category	Scope	Time
Added	auth.lovable.dev	URL	In Scope	16:28
Added	auth.lovable.dev	URL	In Scope	16:28
Added	api.lovable.dev	URL	In Scope	13:28
Added	api.lovable.dev	URL	In Scope	13:28

Feb 25, 2026

Change	Asset	Category	Scope	Time
Added	lovable.dev	URL	In Scope	19:20
Added	oauth.lovable.dev	URL	In Scope	19:20
Added	lovable.app	URL	Out of Scope	19:20

Feb 22, 2026

Change	Asset	Category	Scope	Time
Added	lovable.dev	URL	In Scope	00:48
Added	oauth.lovable.dev	URL	In Scope	00:48
Added	lovable.app	URL	Out of Scope	00:48

Feb 21, 2026

Change	Asset	Category	Scope	Time
Added	lovable.dev	URL	In Scope	19:13
Added	oauth.lovable.dev	URL	In Scope	19:13
Added	lovable.app	URL	Out of Scope	19:13