Report a
security issue.
Our commitments
What you'll get back from us.
Acknowledged in 2 business days
You'll hear from a human at [email protected] — we don't hide behind autoresponders.
Triaged in 5 business days
Severity, reproduction, and rough remediation timeline shared with the reporter.
Credit on request
Named acknowledgment on our security hall of fame page after the fix ships (or immediately, if you prefer to stay anonymous).
No legal action
Good-faith research that follows this policy will not be pursued under CFAA, CMA, DMCA, or their local equivalents.
In scope
What we want you to test.
- lepta.dev and any subdomain we operate (marketing, app, api, status, docs).
- The Lepta QA REST API and outgoing webhooks.
- Any Lepta-authored open-source runner or SDK we publish.
- Client-side JavaScript we ship on our own domains.
Out of scope
Please don't do this.
- Denial-of-service or resource-exhaustion attacks.
- Physical attacks against our office, staff, or property.
- Social engineering of Lepta employees or contractors.
- Testing that impacts other customers' workspaces — use your own workspace or a scratch account.
- Automated scanner reports without a working proof-of-concept.
- Missing security headers on pages that don't handle sensitive data.
- Rate-limit-only findings that require abusing a valid account.
- Reports about email spoofing on domains we don't send from.
- Third-party integrations (GitHub, Zoom, Slack, etc.) — please report those to the vendor.
Rewards
Bounty bands.
Indicative ranges. Final amounts reflect severity, quality of the report, and business impact.
| Severity | Range | Example |
|---|---|---|
| Critical | $1,000 – $5,000 | RCE, tenant isolation break, workspace-wide data exposure. |
| High | $500 – $1,500 | Authentication bypass, IDOR on a critical resource, stored XSS with session takeover. |
| Medium | $150 – $500 | Reflected XSS with limited impact, CSRF on a state-changing route. |
| Low | $50 – $150 | Missing hardening, information leaks without direct exploit path. |
Ready to report?
Send us your finding at [email protected]. Include a proof-of-concept and impact assessment where possible.
FAQ
Common questions.
How do I send you a report?+
Email
[email protected]. Include: a description, steps to reproduce, expected vs. observed behaviour, and any impact assessment. PGP key on request. We prefer plain text — no zips of screenshots unless truly necessary.Do you pay bounties?+
Yes — see the reward bands above. Bounties are discretionary and scale with severity and quality of the report. First-reporter wins; duplicates are eligible for a smaller finder's fee if the original was still under embargo.
Can I test in production?+
Yes, but only against your own workspace and only using accounts you control. Never test against a customer workspace you don't own. Use realistic-but-obviously-test data (Test User Alpha, not real PII) and rate-limit yourself.
How long do I need to keep the finding private?+
90 days from initial report, or until we ship a fix — whichever comes first. If we can't fix it in 90 days we'll ask for an extension and explain why. Coordinated disclosure builds trust both ways.
Ready to ship
without the dread?
Free to start, no credit card. Spin up your first project and invite your team in minutes.