Responsible Disclosure Policy

Effective Date: April 1, 2026

At Laurel Shield, we take security seriously — both for our clients and for our own systems. We welcome and appreciate security researchers who help us keep our platform safe. If you believe you have found a security vulnerability in our website or services, we encourage you to report it responsibly.

Scope

The following assets are in scope for responsible disclosure:

• security.laurelshield.com — our primary website.
• Any subdomains of laurelshield.com that we operate.
• APIs and services exposed by our web properties.

Out of Scope

• Third-party services, integrations, or platforms we do not control.
• Findings from automated scanners without validated proof of concept.
• Social engineering or phishing attacks against our employees.
• Physical security attacks against our offices or infrastructure.
• Denial of service (DoS/DDoS) attacks.
• Spam or content injection without demonstrated security impact.

What to Include in Your Report

To help us investigate and respond efficiently, please provide:

• A clear description of the vulnerability and its potential impact.
• Detailed steps to reproduce the issue.
• Proof of concept (screenshots, video, HTTP requests/responses, etc.).
• The affected URL, endpoint, or component.
• Your assessment of severity (e.g., CVSS score if applicable).
• Any suggestions for remediation.

Our Commitment

When you report a vulnerability in good faith following this policy, we commit to:

• Acknowledge your report within 2 business days.
• Investigate and validate the reported issue promptly.
• Provide updates on our progress at least every 7 days until resolution.
• Remediate confirmed vulnerabilities in a timely manner based on severity.
• Credit you publicly (with your permission) once the issue is resolved.
• Not pursue legal action against researchers who act in good faith and comply with this policy.

Researcher Guidelines

To qualify for safe harbor under this policy, researchers must:

• Act in good faith and avoid privacy violations, data destruction, or service disruption.
• Only interact with accounts you own or have explicit permission to test.
• Not access, modify, or delete data belonging to other users.
• Not publicly disclose the vulnerability before we have had a reasonable opportunity to address it (minimum 90 days from report date).
• Not exploit the vulnerability beyond what is necessary to demonstrate proof of concept.
• Comply with all applicable laws.

Recognition

We believe in recognizing the contributions of the security community. For valid, in-scope reports, we offer:

• Public acknowledgment on our website (with your consent).
• A letter of appreciation that may be referenced professionally.
• Direct communication with our security team for findings of exceptional quality.

We do not currently offer monetary bounties, but we reserve the right to reward exceptional findings at our discretion.

Response Timeline

• Acknowledgment: within 2 business days.
• Triage and severity assessment: within 5 business days.
• Critical/High severity: remediation target of 14 days.
• Medium severity: remediation target of 30 days.
• Low/Informational: remediation target of 90 days.

Contact

Security Reports: security@laurelshield.com
General Inquiries: contact@laurelshield.com

Thank you for helping us keep Laurel Shield and our clients safe.