At Leetchi, we take the security of our systems, services, and the data we process very seriously.
We also recognize the essential role played by security researchers in improving the security of the digital ecosystem.
If you believe you have identified a vulnerability affecting an asset operated by Leetchi, we encourage you to report it to us responsibly.
This Coordinated Vulnerability Disclosure Policy describes:
The following assets are covered by this policy.
This policy applies solely to assets owned and operated by Leetchi.

We authorize security research conducted in good faith, in compliance with this policy and applicable laws.
The following activities are permitted when carried out in a reasonable and non-destructive manner:
We ask that you limit your actions to what is strictly necessary to demonstrate the existence of the vulnerability.
The following activities are not authorized:
If you accidentally access sensitive data, we ask that you:
To report a vulnerability, contact us at: [email protected]
PGP key available at: https://leetchi.com/fr/clef-pgp/
To facilitate analysis and reproduction of the issue, please include as much relevant information as possible:
Reports based solely on automated tools without validation or contextualization may be rejected.
When a report complies with this policy, Leetchi commits to:
We value precise, responsible, and actionable reports.
Responsible disclosure is in itself a valuable contribution to the security of the ecosystem. We recognize it as such. For particularly significant vulnerabilities, special attention may be given to acknowledging this contribution, at our discretion and depending on the circumstances.
Safe Harbor coverage takes effect upon submission of the report to Leetchi.
When security research is conducted:
Leetchi will consider such activities as authorized.
In this context, Leetchi will not initiate legal proceedings against researchers who comply with this policy, and will support their good-faith efforts should any questions arise regarding their research activities.
This protection does not cover:
We ask researchers not to publicly disclose a vulnerability before:
Unless otherwise agreed, we apply a standard coordinated disclosure deadline of 90 days from initial confirmation of the vulnerability.
Where relevant, coordination may involve specialized third-party organizations such as:
After remediation or expiration of the agreed deadline, reasonable and factual technical disclosure may be considered in coordination with Leetchi.
The following categories are generally considered out of scope:
This list is not exhaustive.
This policy may be modified at any time without prior notice. The version in force is the one published on this page.
It does not constitute a general authorization to test Leetchi’s systems outside the framework defined above.
Researchers remain responsible for complying with:
French law applies to this policy.
Leetchi’s official security.txt file is available at: https://leetchi.com/.well-known/security.txt