Skip to content

Security

Responsible disclosure.

We’re a security company, and we hold ourselves to the standard we set for our clients. If you’ve found a security issue in something we run, we want to hear about it — and we’ll work with you in good faith to get it fixed.

How to report

Email our security team directly.

Send your report to the address below. Please include enough detail for us to reproduce and understand the issue.

  • A clear description of the issue and where you found it.
  • Step-by-step instructions to reproduce it (proof-of-concept welcome).
  • The potential impact, as you understand it.
  • How we can reach you for follow-up questions.

Security contact

security@levoysec.com

We aim to acknowledge new reports within three business days and will keep you updated as we investigate and remediate.

This policy is published at /.well-known/security.txt per RFC 9116.

Scope

What’s in scope, and what isn’t.

In scope

  • Our public websites and web applications (levoysec.com and the security platform we run for clients).
  • Authentication, authorization, and access-control flaws.
  • Injection, server-side request forgery, and remote code execution.
  • Exposure of sensitive data or credentials.
  • Significant security misconfigurations on systems we operate.

Out of scope

  • Findings that require physical access to a device, or social-engineering of our staff or customers.
  • Denial-of-service, volumetric, or load-testing of any kind.
  • Automated scanner output with no demonstrated, real-world impact.
  • Reports about missing best-practice headers or TLS configuration with no exploitable consequence.
  • Vulnerabilities in third-party services we use but do not operate — report those to the relevant vendor.

Ground rules

Test responsibly.

We ask that researchers give us a reasonable, good-faith opportunity to investigate and fix an issue before it’s shared publicly.

  • Don’t access, modify, or delete data that isn’t yours — use a test account where possible.
  • Don’t degrade, disrupt, or run denial-of-service tests against our services.
  • Don’t use social engineering, phishing, or physical attacks against our people or customers.
  • Keep details of any issue confidential until we’ve had a reasonable chance to remediate.

Safe harbor

If you make a good-faith effort to follow this policy, we will treat your research as authorized. We won’t pursue or support legal action against you for security testing and disclosure conducted in line with these guidelines.

If legal action is initiated by a third party against you for activity that complied with this policy, we’ll make it known that your actions were authorized. Act in good faith and we’ll do the same.

We don’t currently run a paid bug-bounty program. Reports are accepted and addressed on a goodwill basis; no payment is offered or implied. We’re always glad to credit researchers who’d like the recognition.

Found something? Let us know.

Email security@levoysec.com with the details. We take every report seriously and we’ll keep you in the loop.