Get started

Responsible disclosure

LedgerGuard takes the security of customer and workspace data seriously. If you believe you have found a security vulnerability in a LedgerGuard-controlled service, we welcome coordinated disclosure so we can investigate and remediate with appropriate care.

How to report

Email **`security@ledgerguard.io`** with a clear description of the issue, affected component (web app, API, worker-facing surface, etc.), and steps to reproduce. Encrypting your message (PGP) is welcome if you include your public key or fingerprint in the mail.

Please allow reasonable time for triage before any public disclosure. We aim to acknowledge valid reports and keep you informed of material progress.

What we ask of you

  • Do not perform denial-of-service attacks or tests that degrade availability for customers.
  • Do not run high-volume or destructive automated tooling against our production systems without prior written agreement.
  • Do not access, modify, or retain data that does not belong to you. Use controlled test accounts or synthetic data where possible.
  • Do not publicly disclose vulnerability details until we have had a chance to assess and ship mitigations (or we agree on a disclosure timeline).

What you can expect from us

  • We will assess impact and reproducibility for reports that fall within scope.
  • We may request clarifications or a short demonstration under agreed constraints.
  • If a finding is valid and actionable, we prioritize remediation and deployment of fixes according to severity.
  • We are happy to credit researchers who wish to be acknowledged, unless you prefer to remain anonymous.

In scope

  • The customer-facing LedgerGuard web application (including marketing and authenticated product hosts we operate).
  • The LedgerGuard HTTP API as documented for production use (same deployment boundary as your workspace data path).
  • Misconfiguration or weakness in our use of infrastructure or identity providers when it affects tenant isolation, authentication, or authorization in the product.

Issues that materially affect confidentiality, integrity, or availability of LedgerGuard production services we operate, including:

Out of scope

  • Automated scanning noise without a demonstrated exploit path.
  • Social engineering of LedgerGuard staff or customers.
  • Credential stuffing or password brute force against individual accounts.
  • Clickjacking on pages with no sensitive action or financial impact.
  • Missing generic HTTP security headers without a practical exploit against LedgerGuard.
  • Issues only reproducible on unsupported or end-of-life browsers, or solely in third-party services (please report those to the relevant vendor).

Recognition

We do not operate a public monetary bounty program. For significant, previously unknown issues that we confirm and remediate, we may offer public acknowledgment in a hall-of-fame style list at our discretion, subject to your preference and coordinated disclosure timing.

Security contact

For procurement questionnaires, customer trust reviews, or non-vulnerability security topics, use the same address and include your organization and context.

Security security@ledgerguard.io

Related pages