LeanIX appreciates and values the identification and reporting of security vulnerabilities carried out by well-intentioned, ethical security researchers.
This vulnerability disclosure policy applies to any vulnerabilities that you are considering reporting to us. We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it. Via this Responsible Disclosure policy, the Information Security Team of LeanIX provides a framework that allows for the safe, secure and responsible disclosure of weaknesses in our products and infrastructure, which can be exploited to perform unauthorised actions within a system. The purpose of this Policy is to enable the vulnerability to be reported responsibly and to be remediated or patched in order to retain the Confidentiality, Integrity and Availability of our services.
If you are a security researcher and you encounter a vulnerability, we would like to cooperate with you to fix the vulnerability before this can be misused.
If you believe you have found a security vulnerability, please submit your report to us using the following email address: email@example.com
Your report should include details of:
We welcome anonymous reports but we will not be able to share updates on the follow-up of the report.
Our information security experts will assess the finding and respond as soon as reasonably possible. Each case will be analysed individually. We kindly request you to provide us the reasonable opportunity and time for this analysis, to keep the information confidential, and not to disclose the vulnerability to others without consultation with LeanIX Information Security team.
Please note that LeanIX does not offer a bug bounty program. This means that LeanIX does not pay rewards for disclosed security vulnerabilities. This Policy is not intended to encourage hacking attempts in connection with LeanIX products and infrastructure, but to provide a responsible framework under which security vulnerability reports can be communicated and remediated. On a case by case basis, in consultation, we will consider providing public acknowledgement of your support.
Any personal details that we have received from your side will be processed by us in accordance with the LeanIX privacy notice for business customers, partners and counter-parties available at our commitments as a data controller. Your data will be processed for purposes of responding to your report and addressing the reported vulnerabilities.
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law or which might cause LeanIX to be in breach of any of its legal obligations.
If at any time you have questions about the above policy, feel free to reach out to firstname.lastname@example.org