Skip to main content

Vulnerability Disclosure Policy

PROMISE

Maintaining the security of our networks is a high priority at Leverage. Our information technologies provide critical business operations. Ultimately, our network security ensures that we can accomplish our mission and further enable our customers business goals. The security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and Leverage recognizes that fostering a close relationship with the community will help improve our own security. So if you have information about a vulnerability in a Leverage website or web application, we want to hear from you!

SCOPE

  • *.lvrg.ai or *.tryleverage.ai
  • Any web properties owned by Leverage are in scope of the program.
  • Customers of Leverage, or non Leverage sites behind our infrastructure are out of scope.

SAFE HARBOR

Leverage pledges not to initiate legal action against researchers as long as they adhere to this policy.

PROCESS

How to Submit a Vulnerability: To submit a vulnerability report to Leverage’s Product Security Team, please send an email to security@lvrg.ai.

What we would like to see from you:

  • Well-written reports in English will have a higher chance of being accepted.
  • Reports that include proof of concept code will be more likely to be accepted.
  • Reports that include only crash dumps or other automated tool output will most likely not be accepted.
  • Reports that include products not on the covered list will most likely be ignored.
  • Include how you found the bug, the impact, and any potential remediation.
  • Any plans for public disclosure.

What you can expect from us:

  • A timely response to your email (within 2 business days).
  • An open dialogue to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • An expected timeline for patches and fixes (usually within 120 days).
  • Credit after the vulnerability has been validated and fixed.

PREFERENCES

Public Notification. If applicable, Leverage will coordinate a public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously. In order to protect our customers, Leverage requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.

NTIA reminder on public disclosure. Finders do not create vulnerabilities. The fact that one finder does not disclose its existence does not guarantee that another will not find it - or has already found it. Finders may have reasons to want to disclose the vulnerability publicly. A [coordinated] disclosure situation is preferable to one without control. Vendors may want to express preferences on when finders publicly talk about vulnerabilities.