Security Policy and Responsible Disclosure

Reporting a Security Finding

If you believe you have discovered a security vulnerability in any LYFYE-operated property, contact us immediately at security@lyfye.com. Encrypted reports are accepted via the PGP key referenced in our security.txt.

Please include enough detail for us to reproduce the finding: affected URL or component, the steps to reproduce, expected versus actual behavior, and the security impact you observed. Screenshots, request and response captures, and proof-of-concept code accelerate triage.

Scope

The following LYFYE-operated assets are in scope for security research:

• https://lyfye.com (corporate marketing site)
• https://studio.lyfye.com (LYFYE Marketing Studio)
• API endpoints under https://lyfye.com/api
• Authentication flows under https://lyfye.com/sign-in and https://lyfye.com/account

Out-of-scope assets include third-party integrations (the GitHub repository is hosted on GitHub.com, payment processing is handled by our PSP, etc.). Report vulnerabilities in third-party services to those providers directly.

What We Commit To

• Acknowledge receipt of your report within two business days.
• Provide a triage status within five business days, including a severity assessment and initial remediation timeline.
• Communicate openly throughout the resolution process. You will be notified when the fix ships.
• Credit the researcher publicly in our security advisories, unless you request anonymity.
• Not pursue legal action against researchers who comply with this policy in good faith.

What We Ask From Researchers

• Make a good-faith effort to avoid privacy violations, destruction of data, or interruption of LYFYE services.
• Do not access, modify, or exfiltrate data that does not belong to you.
• Do not perform denial-of-service testing, social-engineering attacks against LYFYE staff, or physical-security testing without prior written authorization.
• Allow us reasonable time to remediate before any public disclosure. Our default coordinated-disclosure window is 90 days from the report date, extendable by mutual agreement for complex issues.

Bug Bounty Program

LYFYE operates a private bug bounty program for qualifying findings. Program details, reward tiers, and platform information are available on request to security@lyfye.com. Public bug bounty enrollment information is published in our trust center and updated as the program scales.

Out of Scope Findings

The following are not eligible for bug bounty reward, although we will still investigate them:

• Reports from automated scanners without proof of impact.
• Missing security headers without a demonstrable exploit path.
• Self-XSS that requires the user to paste code into the browser console.
• Issues caused by outdated third-party software where LYFYE has documented planned upgrade.
• Theoretical vulnerabilities without practical impact.

Coordinated Disclosure and Public Advisories

Once a finding is remediated, LYFYE publishes a public advisory at /trust-center describing the finding, impact, fix, and credit to the reporting researcher. We follow a coordinated disclosure model: the researcher receives advance notice before public publication.

Policy Updates

This policy is reviewed every six months. The current version is signed and dated below. Material changes are announced on our trust center page.

Version 1.0 — Effective 2026-05-04. Owner: Tim Bryant, Founder and CEO, LYFYE.