Vulnerability Disclosure Policy

Last updated July 15, 2026

Responsible vulnerability disclosure

If you have discovered a vulnerability in a Lapel system, please report it! Email us at security@lapel.com. We read every report.

We will not take legal action against, nor ask law enforcement to investigate, researchers who work with us in good faith. Good faith means:

  • Sharing the full details of the issue with us promptly

  • Making every effort to avoid violating our customers' (or our) privacy, destroying data, and interrupting or degrading our services

  • Using exploits only to the extent needed to confirm a vulnerability, and not to access or exfiltrate data, establish persistent access, or pivot to other systems

  • Testing only with accounts you own or are authorized to use

  • Giving us a reasonable amount of time to fix the issue before disclosing it publicly

Scope

This policy covers Lapel's public-facing services: our website (lapel.com), our production web application, and our public APIs.

Out of scope: systems operated by third-party vendors (please report those directly to the vendor), staging or internal environments, physical security testing, social engineering (including phishing of Lapel employees or customers), and denial-of-service testing of any kind. If you're not sure whether something is in scope, ask us first at security@lapel.com.

Reporting a vulnerability

Email security@lapel.com with a description of the issue, where you found it, its potential impact, and steps to reproduce (proof-of-concept scripts or screenshots help). Reports may be submitted anonymously. We don't operate a bug bounty program or offer monetary rewards.

What to expect from us

  • We'll acknowledge your report within 3 business days

  • We'll keep you informed as we investigate and remediate, and aim to fix confirmed vulnerabilities within 90 days

  • Anything you submit will be used only to mitigate or remediate vulnerabilities, and we won't share your name or contact details without your permission

We ask that you keep vulnerability details confidential for 90 days after our acknowledgement, or until we confirm a fix, whichever comes first. If you believe others need to know sooner, please coordinate with us in advance.

Questions

Any other security-related questions? We'd love to hear from you at security@lapel.com.