Security Vulnerability Reporting and Bug Bounty Program

Last updated: May 26, 2026

Vulnerability Disclosure

We value input from the security community that helps us protect our customers’ data. If you discover a potential vulnerability, we want to hear about it.

Focus Areas

We’re particularly interested in reports related to:

  • Authentication bypass or privilege escalation

  • Unauthorized access to data across workspace boundaries

  • Injection attacks or remote code execution

In Scope

  • The Lightfield web application and supporting services

  • The Lightfield API

  • Lightfield client SDKs

Out of Scope

  • Automated scanning of any kind

  • Social engineering, including phishing

  • Denial of service attacks

  • Attacks requiring physical access to a victim’s device

  • Theoretical attacks without proof of exploitability

  • Missing best practices in HTTP headers, cookies, TLS configuration, or DNS records on our marketing site

How to Report

Send your findings to security@lightfield.app with the following details:

  • A summary of the issue and its potential impact

  • Steps to reproduce, including any tools used

  • Proof-of-concept code, if available

Our team will investigate and keep you updated on progress. We may follow up for additional details.

Responsible Conduct

We ask that researchers:

  • Test only against their own accounts or with explicit permission from the account holder.

  • Make a good-faith effort to avoid privacy violations, data destruction, or service disruption.

  • Report the vulnerability to us before disclosing it publicly, and give us reasonable time to address it.

  • Do not attempt to expand or elevate access beyond what is necessary to demonstrate the vulnerability.

  • Comply with all applicable laws.

Safe Harbor

Research conducted in good faith under this policy is considered authorized. We will not pursue legal action against you for activities consistent with these guidelines. If a third party initiates legal action related to your research, we will take steps to make it known that your actions were conducted in compliance with this policy.

We are committed to addressing legitimate security concerns promptly. Please allow our team reasonable time to investigate and respond to your report before considering public disclosure.

Common Questions

Do you have a bug bounty program?

We currently do not have a formal bug bounty program that offers monetary rewards for vulnerability reports. However, we greatly appreciate responsible disclosure and will acknowledge researchers who help improve our security posture.

What should I do if I don't receive a response to my security report?

If you haven't received a response within a reasonable timeframe (typically 5-7 business days), please follow up by sending another email to security@company.com. Include your original report reference if available.

Can I publicly disclose vulnerabilities I've found?

We request that you follow responsible disclosure practices by reporting vulnerabilities to us first and allowing adequate time for remediation before any public disclosure. This helps protect our users and gives us the opportunity to address security issues appropriately.