Security Policy

Reporting Vulnerabilities

We encourage and welcome reports of security vulnerabilities that could impact the security or functionality of our software and services. To report a potential issue:

  • Open a Ticket: Our preferred method for vulnerability reports is through our secure ticket system at https://my.layeredy.com/tickets. This ensures your report is tracked properly and handled with appropriate confidentiality.
  • Follow Responsible Disclosure: Do not publicly disclose the vulnerability until we have addressed it.

In Scope

We are mainly interested in reports about:

  • Security vulnerabilities such as injection attacks, authentication issues, or exposed sensitive data.
  • Configuration weaknesses in our hosted services or products.
  • Misconfigurations that could lead to unauthorized access or privilege escalation.
  • Cross-site scripting (XSS), cross-site request forgery (CSRF), and server-side request forgery (SSRF) vulnerabilities.
  • Business logic flaws that could impact user security or privacy.

Out of Scope

The following activities are strictly prohibited when identifying or reporting vulnerabilities:

  • Service Disruption: Do not intentionally disrupt or degrade Layeredy services or infrastructure.
  • Sharing Vulnerabilities: Do not disclose vulnerabilities to third parties or make them public before we have resolved the issue.
  • Exploiting Vulnerabilities: Do not use a discovered vulnerability for any purpose other than reporting it to Layeredy securely.
  • Unauthorized Access: Avoid accessing or attempting to access data, systems, or accounts that do not belong to you.
  • Social Engineering: Do not attempt to phish or otherwise socially engineer our staff or users.
  • Automated Testing: Do not use automated vulnerability scanners without prior permission.

Response Process

When you submit a vulnerability report, you can expect:

  • An initial acknowledgment within 48 hours of receipt.
  • A preliminary assessment of the vulnerability within 5 business days.
  • Regular updates on our progress in addressing confirmed issues.
  • A notification when the vulnerability has been patched or mitigated.

Safe Harbor

We value your contributions to improving our security. If you follow this policy in good faith, we commit to:

  • Not pursuing legal action against you.
  • Working with you to understand and address the reported issue.
  • Recognizing your contributions in accordance with our public disclosure practices where appropriate.
  • Maintaining confidentiality of your identity if requested.