Responsible Disclosure Policy

We encourage you to report vulnerabilities related to:

• app1.leegality.com
• Public-facing APIs for e-signing, e-stamping, and workflow services

Typical examples include:

• Authentication and session management flaws
• Authorization bypass
• Cross-site scripting (XSS)
• SQL injection
• Insecure direct object references (IDOR)
• Server-side request forgery (SSRF)
• Privilege escalation
• Sensitive data exposure

The following issues are not considered in scope:

• Social engineering (including phishing) attempts
• Physical attacks against Leegality infrastructure or premises
• Clickjacking on pages
• Absence of security headers, or missing SSL/TLS best practices without a working proof-of-concept or rate limiting
• Vulnerabilities in third-party services, open-source libraries, or frameworks not under Leegality’s control
• Denial of Service (DoS) attacks or attempts to disrupt service availability
• Issues on test or sandbox environments unless explicitly allowed
• Low-risk issues with no meaningful security impact, such as UI/UX bugs, spelling mistakes, or minor configuration errors
• Widely publicized zero-day vulnerabilities that have no patch or have had a patch available for less than 30 days.

If you’re uncertain whether an issue falls within scope, you may contact us at responsible-disclosure@leegality.com before initiating any testing.

To remain compliant, researchers must not:

• Access more data than is necessary to demonstrate the vulnerability. Any such access must be limited and solely for the purpose of responsible disclosure.
• Access, modify, download, or delete any data that does not belong to you.
• Conduct tests that disrupt, degrade or negatively impact the performance, availability or reliability of Leegality’s systems, services or infrastructure.
• Targeting third-party websites, applications, or services that are integrated with or linked to Leegality systems, unless explicit written authorization has been obtained.
• Engage in testing that sends spam, junk mail, or other forms of unsolicited or unauthorized communication.
• Conduct further testing as soon as you confirm a vulnerability and report it immediately.
• Conduct use of automated scanners, fuzzers, or load tools that may cause availability issues.
• Withhold information required to reproduce and verify the issue to Leegality.
• Publicly disclose any identified vulnerability or any information that must be reasonably understood to be confidential without explicit written consent from Leegality.

Your participation is voluntary but subject to the following conditions:

• You must be at least 18 years of age or have legal guardian consent.
• You must not be a past or present employee, intern, or contractor at Leegality.
• Your testing and reporting must comply with all applicable laws and the terms of this policy.

To report a vulnerability, please email responsible-disclosure@leegality.com with the following:

• A clear and descriptive summary of the issue.
• Step-by-step reproduction instructions.
• Your testing and reporting must comply with all applicable laws and the terms of this policy.
• Relevant URLs, endpoints, or parameters.
• Any associated logs, screenshots, or proof-of-concept code.
• If applicable, the potential impact and any recommended remediation actions.
• Your contact details, such as Full name, Email address, Affiliated organization (if applicable) and Phone number for recognition.

Any reporting without sufficient information will not be considered.

Every submission will follow a structured review process:

• We will acknowledge valid reports within 5 business days.
• Our internal security team will verify if the vulnerability exists and assess its impact.
• If we determine (in our sole discretion) that a vulnerability exists, it will be prioritized and assigned a remediation timeline based on severity.
• Patches or mitigations will be implemented as determined solely by Leegality. We may collaborate with you to understand and address the issue.
• The duration of the full process may vary depending on complexity and system dependencies.

Leegality values the efforts of ethical security researchers who help make our systems safer. In our sole discretion, we may provide compensation or other forms of recognition for valid vulnerability disclosures that result in actionable improvements to our security posture.