Vulnerability Disclosure Policy

LegalsOne welcomes responsible disclosure of security vulnerabilities. If you've found something, we want to know. This policy outlines how to report, what to expect, and the protections available to good-faith researchers.

Effective Date: February 23, 2026

1. Overview

LegalsOne is committed to maintaining the security of our platform and the data entrusted to us by law firms. We recognize that security researchers play an important role in identifying vulnerabilities before malicious actors can exploit them. This policy establishes the ground rules for good-faith security research and responsible disclosure.

We ask that researchers report security issues to us before making any public disclosure, to give us time to investigate and remediate.

2. Scope

This policy covers:

  • The LegalsOne public website (legalsone.com and subdomains)
  • The LegalsOne platform, including its authentication, API, and user-facing functionality
  • LegalsOne's publicly accessible infrastructure

In-scope vulnerability types include:

  • Authentication bypass or privilege escalation
  • Cross-site scripting (XSS) with demonstrable impact
  • SQL injection
  • Server-side request forgery (SSRF)
  • Remote code execution
  • Significant information disclosure (e.g., accessing another customer's data)
  • Insecure direct object references affecting cross-customer data access
  • Cryptographic weaknesses with practical exploit paths

3. Out of Scope

The following are explicitly excluded from this policy and should not be tested:

  • Customer environments — you must not access, probe, or test any law firm's LegalsOne environment without authorization from that firm. Unauthorized testing of customer environments is a violation of this policy regardless of good-faith intent and may constitute criminal activity.
  • Denial-of-service attacks of any kind
  • Physical security testing
  • Social engineering (phishing, pretexting) of LegalsOne staff or customers
  • Automated vulnerability scanning without prior written approval
  • Issues in third-party software not under LegalsOne's direct control
  • Login form rate limiting without demonstrated exploit
  • Self-XSS requiring significant user interaction
  • Missing security headers without a demonstrated practical exploit
  • Reports based solely on automated scanner output without manual verification

4. How to Report

Submit vulnerability reports to security@legalsone.com. Please include:

  • A clear, step-by-step description of how to reproduce the vulnerability
  • The potential impact (what could an attacker achieve?)
  • Any supporting evidence (screenshots, PoC code, HTTP request/response examples)
  • The system or URL affected
  • Your contact information (we will not publish your name without your permission)

For sensitive disclosures, you may request our PGP public key for encrypted communication by emailing the above address with the subject "PGP key request."

We ask that you do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate it (typically 90 days, sooner if resolved earlier). We will keep you informed of our progress.

5. Safe Harbor

LegalsOne commits to the following safe harbor protections for security researchers who comply with this policy in good faith:

  • We will not pursue civil or criminal action against researchers who discover and report vulnerabilities in good faith according to the terms of this policy.
  • We will not forward your personal information to law enforcement without notifying you first, unless required by law or to prevent imminent harm.
  • We will treat your submission as confidential and will not publish your name or details without your consent.

Good faith means: you did not exploit the vulnerability beyond what was necessary to confirm its existence; you did not access, retain, or disclose any data beyond what was needed to demonstrate the issue; you avoided testing customer environments; and you reported promptly.

This safe harbor does not apply to testing that violates applicable law regardless of intent. Unauthorized access to computer systems may violate the Computer Fraud and Abuse Act (CFAA) and similar laws.

6. Our Commitments to Researchers

  • Acknowledge receipt of your report within 3 business days.
  • Provide an initial assessment of severity and expected timeline within 10 business days.
  • Keep you informed of progress as we investigate and remediate.
  • Notify you when the vulnerability has been resolved (subject to not disclosing other customers' information).
  • Not pursue legal action against you for good-faith research conducted under this policy.

7. Recognition

LegalsOne does not currently operate a bug bounty program with monetary rewards. We do offer recognition in the form of a public acknowledgment (with your permission) for significant findings that are reported responsibly and result in a confirmed fix. We appreciate the security community's contribution to our platform's integrity.

8. Contact

Security disclosures: security@legalsone.com