Security disclosure

Report a
security issue.

We take security seriously and want to make it easy for researchers to reach us. Read the scope, then email [email protected].

Our commitments

What you'll get back from us.

Acknowledged in 2 business days

You'll hear from a human at [email protected] — we don't hide behind autoresponders.

Triaged in 5 business days

Severity, reproduction, and rough remediation timeline shared with the reporter.

Credit on request

Named acknowledgment on our security hall of fame page after the fix ships (or immediately, if you prefer to stay anonymous).

No legal action

Good-faith research that follows this policy will not be pursued under CFAA, CMA, DMCA, or their local equivalents.

In scope

What we want you to test.

  • lepta.dev and any subdomain we operate (marketing, app, api, status, docs).
  • The Lepta QA REST API and outgoing webhooks.
  • Any Lepta-authored open-source runner or SDK we publish.
  • Client-side JavaScript we ship on our own domains.
Out of scope

Please don't do this.

  • Denial-of-service or resource-exhaustion attacks.
  • Physical attacks against our office, staff, or property.
  • Social engineering of Lepta employees or contractors.
  • Testing that impacts other customers' workspaces — use your own workspace or a scratch account.
  • Automated scanner reports without a working proof-of-concept.
  • Missing security headers on pages that don't handle sensitive data.
  • Rate-limit-only findings that require abusing a valid account.
  • Reports about email spoofing on domains we don't send from.
  • Third-party integrations (GitHub, Zoom, Slack, etc.) — please report those to the vendor.

Rewards

Bounty bands.

Indicative ranges. Final amounts reflect severity, quality of the report, and business impact.

SeverityRangeExample
Critical$1,000 – $5,000RCE, tenant isolation break, workspace-wide data exposure.
High$500 – $1,500Authentication bypass, IDOR on a critical resource, stored XSS with session takeover.
Medium$150 – $500Reflected XSS with limited impact, CSRF on a state-changing route.
Low$50 – $150Missing hardening, information leaks without direct exploit path.

Ready to report?

Send us your finding at [email protected]. Include a proof-of-concept and impact assessment where possible.

Email us

FAQ

Common questions.

How do I send you a report?+
Email [email protected]. Include: a description, steps to reproduce, expected vs. observed behaviour, and any impact assessment. PGP key on request. We prefer plain text — no zips of screenshots unless truly necessary.
Do you pay bounties?+
Yes — see the reward bands above. Bounties are discretionary and scale with severity and quality of the report. First-reporter wins; duplicates are eligible for a smaller finder's fee if the original was still under embargo.
Can I test in production?+
Yes, but only against your own workspace and only using accounts you control. Never test against a customer workspace you don't own. Use realistic-but-obviously-test data (Test User Alpha, not real PII) and rate-limit yourself.
How long do I need to keep the finding private?+
90 days from initial report, or until we ship a fix — whichever comes first. If we can't fix it in 90 days we'll ask for an extension and explain why. Coordinated disclosure builds trust both ways.

Ready to ship
without the dread?

Free to start, no credit card. Spin up your first project and invite your team in minutes.