Security & Responsible Disclosure
We welcome reports from security researchers. If you've found a vulnerability that affects Lacuna's customers, send a report to security@lacunapdf.com — we read every message and reply within 3 business days. The full triage SLA is 30 days from acknowledgement to a fix or a documented reason for not fixing.
What to include
- A short description of the issue and the impact.
- Reproduction steps — including the URL or endpoint, the payload, and any account / role / tier needed to reproduce.
- Your affiliation (independent researcher, bug-bounty platform, customer's security team) so we can scope the conversation correctly.
- A PGP-encrypted email if the issue is sensitive — public key on request.
What to avoid
We ask researchers to act in good faith and avoid actions that would harm customers or our service:
- Don't attempt to access another tenant's data. Use your own test accounts; if you find a tenant-isolation bug, prove it with two accounts you control.
- Don't run automated scanners or load tests against production. They generate noise that drowns out real attacks; if you need throughput to demonstrate the issue, ask first and we'll provision a staging tenant.
- Don't exfiltrate or retain customer data. If you accidentally see customer data while reproducing, stop, delete what you saw, and tell us.
- Don't publicly disclose until we've confirmed the fix is deployed or 90 days have passed since your initial report — whichever comes first.
Safe harbor
Research conducted in good faith under this policy — including accessing your own test accounts, demonstrating tenant isolation with multiple accounts you control, and the good-faith mistakes that come with security research — will not be the subject of a Computer Fraud and Abuse Act, DMCA, or Terms of Service action by Lacuna. We won't threaten or pursue legal action for research that follows the boundaries above; if a third party brings action against you for research you did under this policy, we'll make our position known.
What's in scope
Anything under lacunapdf.com and *.lacunapdf.com (excluding sub-processor surfaces — Clerk, Stripe, Cloudflare, Supabase, Fly, Resend, Sentry — which run their own programs). Both the dashboard and the public API are in scope. The hash-chained audit log is a particularly welcome target: if you find a way to insert events without breaking the chain, or rewrite events such that verify_since still passes, we want to know.
What's out of scope
- Volumetric DoS / DDoS — we run behind Cloudflare and rate-limit ourselves at the edge; reports here aren't actionable for us.
- Findings that depend on a compromised end-user device, social engineering of Lacuna staff, or physical access.
- SPF / DKIM / DMARC nuances on transactional email beyond the standard public envelope (we run those through Resend).
- Self-XSS or attacks that require the victim to paste attacker-controlled content into their own console.
- Best-practice recommendations without a demonstrated exploit path (e.g. "your CSP could be tighter" without an XSS payload that bypasses it).
Bounty
We don't run a paid bounty program at the moment. We do publish credit for confirmed reports (with your permission) and we'll send a written reference letter to anyone who wants one. Once we have steady customer revenue, we'll launch a bounty against the same scope — researchers who reported earlier under this policy will be eligible to retroactively re-submit under the bounty terms.
Other surfaces
Customer abuse reports (spam, content violations, account misuse) belong at abuse@lacunapdf.com. Privacy and DSAR requests belong at privacy@lacunapdf.com — see also our deletion model. This page is for security vulnerabilities only.