Legal

Security & Responsible Disclosure

We welcome reports from security researchers. If you've found a vulnerability that affects Lacuna's customers, send a report to security@lacunapdf.com — we read every message and reply within 3 business days. The full triage SLA is 30 days from acknowledgement to a fix or a documented reason for not fixing.

What to include

  • A short description of the issue and the impact.
  • Reproduction steps — including the URL or endpoint, the payload, and any account / role / tier needed to reproduce.
  • Your affiliation (independent researcher, bug-bounty platform, customer's security team) so we can scope the conversation correctly.
  • A PGP-encrypted email if the issue is sensitive — public key on request.

What to avoid

We ask researchers to act in good faith and avoid actions that would harm customers or our service:

  • Don't attempt to access another tenant's data. Use your own test accounts; if you find a tenant-isolation bug, prove it with two accounts you control.
  • Don't run automated scanners or load tests against production. They generate noise that drowns out real attacks; if you need throughput to demonstrate the issue, ask first and we'll provision a staging tenant.
  • Don't exfiltrate or retain customer data. If you accidentally see customer data while reproducing, stop, delete what you saw, and tell us.
  • Don't publicly disclose until we've confirmed the fix is deployed or 90 days have passed since your initial report — whichever comes first.

Safe harbor

Research conducted in good faith under this policy — including accessing your own test accounts, demonstrating tenant isolation with multiple accounts you control, and the good-faith mistakes that come with security research — will not be the subject of a Computer Fraud and Abuse Act, DMCA, or Terms of Service action by Lacuna. We won't threaten or pursue legal action for research that follows the boundaries above; if a third party brings action against you for research you did under this policy, we'll make our position known.

What's in scope

Anything under lacunapdf.com and *.lacunapdf.com (excluding sub-processor surfaces — Clerk, Stripe, Cloudflare, Supabase, Fly, Resend, Sentry — which run their own programs). Both the dashboard and the public API are in scope. The hash-chained audit log is a particularly welcome target: if you find a way to insert events without breaking the chain, or rewrite events such that verify_since still passes, we want to know.

What's out of scope

  • Volumetric DoS / DDoS — we run behind Cloudflare and rate-limit ourselves at the edge; reports here aren't actionable for us.
  • Findings that depend on a compromised end-user device, social engineering of Lacuna staff, or physical access.
  • SPF / DKIM / DMARC nuances on transactional email beyond the standard public envelope (we run those through Resend).
  • Self-XSS or attacks that require the victim to paste attacker-controlled content into their own console.
  • Best-practice recommendations without a demonstrated exploit path (e.g. "your CSP could be tighter" without an XSS payload that bypasses it).

Bounty

We don't run a paid bounty program at the moment. We do publish credit for confirmed reports (with your permission) and we'll send a written reference letter to anyone who wants one. Once we have steady customer revenue, we'll launch a bounty against the same scope — researchers who reported earlier under this policy will be eligible to retroactively re-submit under the bounty terms.

Other surfaces

Customer abuse reports (spam, content violations, account misuse) belong at abuse@lacunapdf.com. Privacy and DSAR requests belong at privacy@lacunapdf.com — see also our deletion model. This page is for security vulnerabilities only.

Security reports
security@lacunapdf.com