Security
Vulnerability Disclosure Policy
Version 1.0 · Last updated 7 July 2026
LeakIQ Ltd takes the security of its platform and its customers' data seriously. We welcome reports from security researchers and users, and we are committed to working with the community to verify, reproduce and resolve reported issues.
1. Our commitment
If you believe you have found a security vulnerability in the LeakIQ platform, we want to hear from you. We will investigate all legitimate reports, keep you informed of our progress, and will not take legal action against anyone who reports a vulnerability in good faith and in line with this policy.
2. How to report
Please email security@leakiq.io with enough detail for us to reproduce the issue. Helpful information includes:
- the type of issue and the affected component or URL;
- step-by-step instructions to reproduce it;
- any proof-of-concept, request/response samples or screenshots;
- the potential impact as you see it.
This policy is also published at /.well-known/security.txt.
3. Safe harbour
We consider security research and vulnerability disclosure conducted in accordance with this policy to be authorised. We will not pursue or support legal action against you for good-faith research that respects this policy and our customers' data. If legal action is initiated by a third party against you for activity conducted under this policy, we will make it known that your actions were authorised.
4. What to expect
- We acknowledge your report within one business day.
- We triage and validate the issue, assign a severity, and keep you informed of progress.
- We aim to remediate confirmed vulnerabilities promptly, prioritised by severity, and will let you know when a fix is deployed.
- With your permission, we are happy to credit you once the issue is resolved.
5. Guidelines
To keep customers safe while you research, we ask that you:
- make a good-faith effort to avoid privacy violations, data destruction, and interruption or degradation of our services;
- only interact with accounts you own or have explicit permission to test — never access, modify or exfiltrate other customers' data;
- do not run automated scanning that degrades service, and do not perform denial-of-service, spam, or social-engineering attacks against LeakIQ, its staff or its customers;
- give us a reasonable time to investigate and remediate before disclosing an issue publicly, and do not disclose customer data.
6. Scope
In scope: the LeakIQ application and APIs at app.leakiq.io and api.leakiq.io, and the LeakIQ marketing site.
Typically out of scope: findings from automated scanners without demonstrated impact; missing best-practice headers with no exploitable consequence; rate-limiting or brute-force reports without a working proof-of-concept; social engineering; and vulnerabilities in third-party services or sub-processors (please report those to the relevant provider). If in doubt, report it and we will assess it.
For our wider security posture, see the Trust Center and technical documentation.