SecurityDisclosureLeanOS
● VULNERABILITY DISCLOSURE

Find a security issue? Tell us safely.

We treat security researchers as partners, not threats. If you find a vulnerability in LeanOS, our public marketing site, or our mobile app, please follow the disclosure policy below — we'll respond within 5 business days and work with you in good faith to resolve it.

Where to send your report
security@getleanos.com

Encrypt sensitive details with our PGP key at /.well-known/security-pubkey.asc. Initial response within 5 business days, max.

● WHAT TO INCLUDE IN YOUR REPORT

Help us reproduce + verify, fast

  • Affected surface — domain (getleanos.com, leanos-taupe.vercel.app, etc.), URL path, mobile app version
  • Vulnerability type — XSS, SQL injection, RLS bypass, broken auth, IDOR, CSRF, dependency CVE, etc.
  • Reproduction steps — every step needed to trigger the issue, with screenshots / curl commands / video
  • Impact — what an attacker could do (read other-org data, escalate privilege, denial of service)
  • Your contact — name + email (or pseudonym + email if you prefer)
  • Coordination preferences — do you want public credit when disclosed; want to publish a write-up yourself
● IN SCOPE

We want reports on

  • getleanos.com + all subdomains
  • The LeanOS web app (any /app/* route)
  • The LeanOS public API (/api/* routes)
  • The LeanOS Android APK (sideload + Play Store builds)
  • Authentication + session management
  • RLS / multi-tenant isolation bypasses
  • SSRF / IDOR / privilege escalation
  • Cryptographic weakness (e.g., predictable IDs)
  • Sensitive data exposure
● OUT OF SCOPE

Please don't report these

  • Issues in third-party services (Supabase, Vercel, Anthropic) — report to them directly
  • Self-XSS, clickjacking with no security impact
  • Missing best-practice headers without exploit path
  • Social engineering of our team / customers
  • Physical attacks on offices / hardware
  • Denial-of-service through volumetric attacks
  • Reports requiring a victim to install malicious software
  • Outdated browser / OS-specific issues
● OUR COMMITMENTS TO YOU

What we'll do after you report

  • 5 business daysAcknowledge receipt. Confirm we received the report + ask any clarifying questions.
  • 14 daysInitial assessment. Reproduce the issue + classify severity (P0 critical / P1 high / P2 medium / P3 low) + share our planned remediation timeline.
  • 30 days (P0/P1) · 90 days (P2/P3)Fix + verify. Patch deployed + verified fixed. We'll let you know when.
  • After fixRecognition. If you want public credit, you go on our Hall of Fame below. If you don't, your identity stays private.
  • CoordinatedPublic disclosure. We coordinate with you on when + how to publish. Default: 90 days after fix is live, or earlier by mutual agreement.
● SAFE HARBOR

We won't sue you for finding security issues in good faith

As long as you follow this policy, we agree that:

  • Your activity is authorized testing under applicable computer-fraud laws
  • We won't pursue civil or criminal action against you
  • We won't notify law enforcement unless you maliciously exploit or extort
  • We'll engage with you in good faith to fix and credit

Safe harbor does NOT cover: actions that harm customer data, actions that disrupt our service, accessing accounts that aren't yours, social engineering, physical attacks, or exfiltrating data beyond what's needed to demonstrate the issue.

● HALL OF FAME

Researchers who've made LeanOS safer

Public acknowledgment for researchers who report responsibly. Listed by date of first acknowledged report. Anonymity respected on request.

Be the first

We're an early-stage company — no formal bug bounty yet, but we send a thank-you gift to every researcher who helps us. Bug bounty program targeted to launch Q1 2027.

Last updated: 17 May 2026 · Machine-readable contact: /.well-known/security.txt · Policy version: v1.0