Coordinated Vulnerability Disclosure Policy

At Leetchi, we take the security of our systems, services, and the data we process very seriously.

We also recognize the essential role played by security researchers in improving the security of the digital ecosystem.

If you believe you have identified a vulnerability affecting an asset operated by Leetchi, we encourage you to report it to us responsibly.

This Coordinated Vulnerability Disclosure Policy describes:

  • The systems in scope,
  • The rules applicable to security research,
  • The reporting procedure,
  • And our commitments to researchers acting in good faith.

Scope

The following assets are covered by this policy.

This policy applies solely to assets owned and operated by Leetchi.

table_scope_applied

Authorized Research Activities

We authorize security research conducted in good faith, in compliance with this policy and applicable laws.

The following activities are permitted when carried out in a reasonable and non-destructive manner:

  • Identification and validation of vulnerabilities;
  • Limited proof-of-concept demonstrations;
  • Low-impact manual or automated testing;
  • Minimal collection of information necessary to demonstrate the vulnerability;
  • Analysis of configuration or application behavior.

We ask that you limit your actions to what is strictly necessary to demonstrate the existence of the vulnerability.

Prohibited Activities

The following activities are not authorized:

  • Denial-of-service attacks (DoS/DDoS);
  • Deliberate degradation of availability;
  • Phishing, vishing, or any form of social engineering;
  • Physical access to premises, equipment, or infrastructure;
  • Mass data exfiltration;
  • Modification, deletion, or destruction of data;
  • Persistence or lateral movement to other systems;
  • Deployment of malware or shells;
  • Aggressive brute force or credential stuffing;
  • Accessing data that does not belong to you beyond the strict minimum necessary for validation;
  • Public disclosure prior to coordination with Leetchi.

If you accidentally access sensitive data, we ask that you:

  • Immediately cease your research;
  • Not retain, copy, or share that data;
  • Promptly notify us of the situation.

Reporting Procedure

To report a vulnerability, contact us at: [email protected]

PGP key available at: https://leetchi.com/fr/clef-pgp/

Useful Information for a Report

To facilitate analysis and reproduction of the issue, please include as much relevant information as possible:

  • Description of the vulnerability;
  • Potential impact;
  • Steps to reproduce;
  • Proof of concept (POC);
  • URL, endpoint, IP address, or affected component;
  • Screenshots, traces, or useful logs;
  • Conditions required for exploitation;
  • Any recommendations.

Reports based solely on automated tools without validation or contextualization may be rejected.

Leetchi’s Commitments

When a report complies with this policy, Leetchi commits to:

  • Acknowledging receipt of the report within 3 business days;
  • Qualifying the report within 7 business days;
  • Maintaining reasonable communication with the researcher;
  • Treating the information received confidentially;
  • Remediating confirmed vulnerabilities within a reasonable timeframe.

We value precise, responsible, and actionable reports.

Responsible disclosure is in itself a valuable contribution to the security of the ecosystem. We recognize it as such. For particularly significant vulnerabilities, special attention may be given to acknowledging this contribution, at our discretion and depending on the circumstances.

Safe Harbor

Safe Harbor coverage takes effect upon submission of the report to Leetchi.

When security research is conducted:

  • In good faith;
  • In compliance with this policy;
  • Within reasonable and proportionate limits;
  • And in accordance with applicable laws;

Leetchi will consider such activities as authorized.

In this context, Leetchi will not initiate legal proceedings against researchers who comply with this policy, and will support their good-faith efforts should any questions arise regarding their research activities.

This protection does not cover:

  • Malicious activities;
  • Actions contrary to this policy;
  • Violations of applicable laws;
  • Actions taken on out-of-scope systems.

Confidentiality and Coordinated Disclosure

We ask researchers not to publicly disclose a vulnerability before:

  • It has been remediated;
  • Or explicit coordination with Leetchi has taken place.

Unless otherwise agreed, we apply a standard coordinated disclosure deadline of 90 days from initial confirmation of the vulnerability.

Where relevant, coordination may involve specialized third-party organizations such as:

  • CERT/CC;
  • CERT-FR;
  • Affected vendors;
  • Impacted providers.

After remediation or expiration of the agreed deadline, reasonable and factual technical disclosure may be considered in coordination with Leetchi.

Out-of-Scope Vulnerabilities

The following categories are generally considered out of scope:

  • Missing security headers without demonstrated impact;
  • Exposed software versions;
  • Weak TLS configuration without demonstrated exploitability;
  • SPF, DKIM, or DMARC recommendations;
  • Clickjacking without a realistic scenario;
  • Expected public files (robots.txt, banners, error pages, etc.);
  • Purely theoretical or non-reproducible issues;
  • Reports based solely on automated scanners;
  • CSRF on non-sensitive or unauthenticated content;
  • Low-impact user enumeration;
  • Issues related to outdated browsers;
  • Issues requiring physical access;
  • Vulnerabilities affecting third-party services not operated by Leetchi.

This list is not exhaustive.

Legal Notice

This policy may be modified at any time without prior notice. The version in force is the one published on this page.

It does not constitute a general authorization to test Leetchi’s systems outside the framework defined above.

Researchers remain responsible for complying with:

  • Applicable laws;
  • Local regulations;
  • Third-party rights;
  • And obligations relating to the protection of personal data.

French law applies to this policy.

Security.txt

Leetchi’s official security.txt file is available at: https://leetchi.com/.well-known/security.txt

About us

  • Who are we?
  • Security
  • Press
  • Job vacancies

For you

  • Our Newsletter
  • Help center
  • Contact us
  • Standard donation contract
  • General terms and conditions of use
  • Legal
  • Privacy policy
  • VDP
  • Cookie policy
  • Sitemap