Vulnerability Disclosure Procedure
A clear, step-by-step path for security researchers and customers to report a finding to LYFYE. Our commitment: acknowledge within two business days, triage within five, and credit you in the resolution advisory unless you prefer anonymity.
Email security@lyfye.com with the details listed below. Encrypt sensitive findings using our PGP key from security.txt.
Acknowledgement within two business days. Severity assessment and initial remediation timeline within five business days. You will receive a tracked case identifier.
Coordinated disclosure with researcher consent. Public advisory published with credit. Bug bounty payout where applicable. Fix verified and re-tested.
Information We Need in a Submission
- Affected asset: URL, API endpoint, or component name.
- Reproduction steps: ordered, complete, copy-pasteable. Include exact requests and responses where applicable.
- Expected versus actual behavior: what should happen, what does happen.
- Impact: what an attacker could achieve. CVSS 3.1 vector welcome but not required.
- Proof of concept: screenshot, video, or HTTP capture. Do not access data beyond what is needed to demonstrate the issue.
- Researcher contact: preferred email, GPG key fingerprint if encrypted reply expected, public credit name or anonymous flag.
Response Service Levels
| Severity | Acknowledge | Triage | Remediate |
|---|---|---|---|
| Critical | 24 hours | 2 business days | 7 days target |
| High | 2 business days | 5 business days | 30 days target |
| Medium | 2 business days | 5 business days | 90 days target |
| Low | 5 business days | 10 business days | Next quarterly release |
Safe Harbor
LYFYE will not pursue civil or criminal action against researchers who comply with this disclosure procedure in good faith. We treat your research as authorized testing under the Computer Fraud and Abuse Act safe-harbor provisions and equivalent local laws, provided you act within scope and avoid privacy violations or service disruption.
Out of Scope
- Findings on third-party services (GitHub, Vercel platform-level, payment processor) should be reported to those vendors.
- Denial-of-service testing without prior authorization.
- Social engineering attacks against LYFYE staff or customers.
- Physical-security testing of LYFYE facilities.
- Findings that require physical access to user devices.
Public Advisory and Credit
Once a finding is remediated, LYFYE publishes a public advisory at /trust-center listing the finding, impact, fix, and credit to the reporting researcher. We coordinate the public-disclosure date with you. Anonymous credit is honored on request.
Bug Bounty
LYFYE operates a private bug bounty program. Reward tiers and qualifying scope are shared on request to security@lyfye.com. As the program matures it will move to a public platform; subscribe to /trust-center for updates.
Email security@lyfye.com with the subject line prefixed [URGENT]. An on-call engineer will acknowledge within four hours during business hours, twenty-four hours otherwise. Encrypt with the PGP key from security.txt.