Security
Responsible disclosure policy
LexaAI handles privileged legal and billing data for law firms. We treat security
research as a partnership. If you find a vulnerability, tell us in good faith and
we will respond quickly, credit your work, and keep you protected.
Report a vulnerability
- Response SLA
- Acknowledgement within 72 hours
- Disclosure window
- 90 days (coordinated)
- PGP
- Available on request
In scope
- app.lexaai.tech — the production web application and its API under
/api/*
- The LexaAI VPS infrastructure supporting the above
- Authentication, session handling, and multi-factor flows
- Authorization and tenant-isolation boundaries (one firm must never see another’s data)
- Cryptographic correctness (hashing, tokens, session cookies, encryption at rest)
- Injection vulnerabilities (SQL, command, template, prompt injection affecting privilege)
- Server-side request forgery and related server-side vulnerabilities
- Sensitive data exposure in responses, logs, or error pages
Out of scope
- Denial-of-service, volumetric, or brute-force attacks
- Social engineering of LexaAI staff, customers, or vendors
- Physical attacks against offices or infrastructure
- Findings from automated scanners without a working proof of concept
- Missing best-practice headers on non-sensitive endpoints when no exploit is demonstrated
- Self-XSS, clickjacking on pages without sensitive actions, rate-limit opinions
- Vulnerabilities in third-party subprocessors — please report those upstream
Safe harbor
If you make a good-faith effort to comply with this policy, we will not pursue or
support legal action against you for your research. We consider your activity
authorized and will work with you to understand and resolve the issue quickly.
Good faith means: stop at proof of concept, do not access data beyond what is
necessary to demonstrate impact, do not degrade service, and do not disclose
publicly before we have had a reasonable chance to fix the issue.
What we ask
- Give us a reasonable time to remediate before any public disclosure — typically 90 days.
- Do not exfiltrate, retain, or share customer data. If you encounter any, stop and report it.
- Use only test accounts you control, or the
demo tenant where applicable.
- Avoid automated scanning that generates high-volume traffic against production.
What you get
- A human reply within 72 hours — usually sooner.
- Status updates as we triage, patch, and ship the fix.
- Public credit on our security acknowledgements page if you want it.
- Where appropriate, a discretionary bounty — we are a small team, but we value the work.