Responsible Disclosure Policy

The following assets are in scope for security research:

• app.lyrie.ai — Main application (dashboard, API endpoints)
• waf.lyrie.ai — WAF proxy infrastructure
• *.lyrie.ai — All Lyrie subdomains (legal, terms, privacy, status, help)
• Lyrie AI Security & Privacy — Desktop agent (Windows, macOS, Linux)
• Lyrie Captcha — Embeddable captcha widget and verification API
• Lyrie APIs — All documented API endpoints
• WordPress Plugin — Lyrie AI WordPress integration

Out of scope:

• Third-party services (Stripe, Vercel, AWS, GitHub, Google, Apple)
• Social engineering attacks against Lyrie employees
• Physical attacks against Lyrie infrastructure
• Denial-of-service (DoS/DDoS) attacks
• Automated scanning that causes service degradation

When researching vulnerabilities:

• Only test against accounts you own or control. Do not access, modify, or delete data belonging to other users.
• Stop testing and report immediately if you encounter any customer data.
• Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue (proof of concept only).
• Do not run automated scanners at high volume against production services. Use reasonable request rates.
• Do not publicly disclose vulnerabilities before Lyrie has had a reasonable opportunity to address them (minimum 90 days).
• Do not conduct testing that could degrade services for other users.

Send your report to [email protected]. Include:

• Description of the vulnerability and its potential impact.
• Step-by-step reproduction instructions.
• Affected endpoint, component, or asset.
• Screenshots, video, or proof-of-concept code where applicable.
• Your preferred contact information for follow-up.

If you prefer encrypted communication, request our PGP public key via email.

• Acknowledgment: Within 2 business days of receipt.
• Triage: Within 5 business days, we will provide an initial assessment.
• Resolution: Critical vulnerabilities are targeted for resolution within 7 days. High-severity within 30 days. Medium/low within 90 days.
• Notification: We will notify you when the vulnerability is fixed and invite you to verify the fix.

We consider security research conducted in accordance with this policy to be:

• Authorized under the Computer Fraud and Abuse Act (CFAA) and similar state/international laws.
• Exempt from DMCA Section 1201 restrictions to the extent your research involves circumvention of security measures.
• Lawful, helpful, and conducted in good faith.

We will not initiate or recommend legal action against researchers who comply with this policy. If a third party initiates legal action against you for research conducted under this policy, we will take steps to make it known that your actions were authorized.

We recognize and appreciate security researchers who help us improve our security. With your permission, we will:

• Acknowledge your contribution on our security acknowledgments page.
• Provide a reference letter upon request for valid findings.

We do not currently offer monetary bounties. This policy is focused on recognition and safe harbor. Monetary rewards may be considered for exceptional findings at Lyrie's discretion.

The following are generally not considered valid vulnerabilities:

• Missing security headers on non-sensitive pages (e.g., marketing pages without user data)
• CSRF on logout
• Clickjacking on pages without state-changing actions
• Information disclosure in server banners or HTTP headers
• Rate limiting not enforced on non-sensitive endpoints
• Self-XSS (requires social engineering the victim to paste malicious code)
• Email enumeration on the login or registration page
• Theoretical vulnerabilities without a demonstrated proof of concept

Security reports: [email protected]
General security questions: [email protected]