LeasingStack takes the security of our platform, customer organizations, and end users seriously. This page describes how independent security researchers and customers may report vulnerabilities in a coordinated manner. It supplements our Terms of Service and Privacy Policy and does not constitute an offer of compensation unless expressly agreed in writing.

Reports we evaluate under this program generally concern vulnerabilities that materially affect the confidentiality, integrity, or availability of LeasingStack-operated services, including public websites, authenticated staff portal areas you are authorized to access, documented APIs, and mobile or progressive web experiences we operate for the platform. Product areas owned by third parties (for example, a payment processor's checkout UI hosted entirely on their domain) should be reported to the relevant vendor unless the issue clearly originates in LeasingStack-controlled code or configuration.

The following are typically out of scope: spam or social engineering against individuals; denial-of-service tests that degrade production systems; physical security; findings requiring unlikely user interaction with no meaningful impact; missed security headers or TLS configuration where industry consensus treats them as informational without demonstrated exploitability; issues in deprecated or unsupported clients; and content or conduct violations unrelated to technical vulnerabilities.

Do not access, modify, destroy, or exfiltrate data that does not belong to you. Do not compromise user privacy or conduct intrusive testing against customer tenants without their written authorization. Use test accounts and synthetic data where possible. Avoid automated scanning at rates that could impair service availability. When in doubt, pause and contact us before proceeding.

If you act in good faith and comply with this policy and applicable law, we will not pursue civil action or refer you for criminal investigation for accidental, good-faith violations of restrictions that would otherwise apply solely because your research was undertaken under this policy. We cannot bind third parties (such as internet service providers or law enforcement); this statement reflects LeasingStack’s intent only.

Send reports to security@leasingstack.com. Encrypt sensitive details if your mail client supports S/MIME or OpenPGP. Include: a concise description of the issue, affected URLs or endpoints, reproduction steps, estimated severity, and whether you believe the issue is publicly known. Please allow us reasonable time to remediate before any public disclosure.

We aim to acknowledge receipt of credible reports within five U.S. business days. Timelines for triage, remediation, and customer notification vary by severity and operational dependencies. We may coordinate with affected organizations where they hold controller or regulatory obligations for certain datasets.

LeasingStack does not operate a paid bug bounty program at this time. With your consent, we may acknowledge researchers who make substantial contributions in our discretion (for example, in release notes or a public acknowledgments section). No acknowledgment is guaranteed.

Automated tools and researchers may retrieve our RFC 9116 file at /.well-known/security.txt.