Trust
Bug bounty disclosure policy
We welcome coordinated vulnerability disclosure. Report findings to security@legalaudit.ch.
In scope
- legalaudit.ch domain and subdomains owned by LegalAudit SA.
- Authenticated and unauthenticated application logic.
- Authorisation/tenancy boundary issues.
- Server-side injection, SSRF, deserialization, race conditions.
- Dossier integrity issues, audit-chain tampering primitives.
Out of scope
- Denial-of-service, volumetric attacks, brute-force.
- Self-XSS, missing best-practice headers without a working exploit.
- Social engineering of LegalAudit staff or customers.
- Physical attacks against offices or data centres.
- Third-party services (Stripe, AWS) — report directly to them.
Reward tiers (placeholders — formal programme launches Q3 2026)
| Severity | Reward (CHF) |
|---|---|
| Low | 100+ |
| Medium | 500+ |
| High | 2000+ |
| Critical | 5000+ |
Reporting
- Email security@legalaudit.ch with clear reproduction steps.
- Use the PGP key for any payload containing customer data.
- Do not exfiltrate data beyond what is strictly necessary for proof.
- Allow a 90-day fix window before public disclosure.
Good-faith research conducted within this policy will not result in legal action.
Informational document published by LegalAudit SA. Statements reflect the current state of controls and are reviewed quarterly. They are not a contractual warranty unless incorporated into a signed agreement. For binding terms request the executed DPA at privacy@legalaudit.ch.