Reporting a vulnerability and what we do with it.

Ledgerline operates infrastructure that has authority over real money and real contracts. We treat security reports the way that responsibility demands.

How to report

Email [email protected]. Include enough detail that we can reproduce the issue. PGP is supported on request.

You can also follow the standard at /.well-known/security.txt.

What we commit to

• Acknowledgement within two business days.
• An initial severity assessment within five business days.
• Coordinated disclosure: we will work with you on a public-disclosure timeline, typically 90 days from acknowledgement, longer when the fix requires customer migration.
• Public credit on a researcher acknowledgements page (when launched), unless you ask to remain anonymous.

Scope

In scope:

• The Ledgerline control plane API on api.ledgerline.dev (and any non-production replicas you discover)
• The marketing site at ledgerline.dev
• Authentication, authorization, audit-integrity, and rate-limiting flaws
• Supply-chain or build-system risks affecting our published artifacts

Out of scope (please don't):

• Denial-of-service or load testing without prior coordination
• Social engineering of staff, customers, or vendors
• Physical attacks on people or facilities
• Issues that require a non-default browser, an outdated dependency we don't ship, or compromised end-user devices
• Reports generated solely by automated scanners with no demonstrated impact

Safe-harbor

If you make a good-faith effort to comply with this policy when conducting your security research, we will not pursue legal action against you for that research, and we will work with you to understand and resolve the issue.

What we do internally

• All Ledgerline customer data is encrypted in transit (TLS 1.2+) and at rest.
• Production infrastructure is access-controlled through our IdP, with MFA required and admin actions audited.
• Our own audit log of admin actions is hash-chained, the same way the customer-facing audit log is.
• Dependencies are pinned and reviewed; supply-chain compromises (such as the public registry incidents of recent years) are something we read postmortems of carefully.
• Secrets never live in source. Production secrets are issued through hardware-backed key material.

What we won't pretend

We don't yet have a SOC 2 Type II attestation. That's in scoping with our auditor. We also don't have a public bug bounty — when we have one, it will appear on this page. Today, [email protected] is the front door, and it works.

For things that aren't a vulnerability — sales questions, partnership, support — go to [email protected].