LaunchLemonade Responsible Disclosure Policy

Our Commitment
At LaunchLemonade, keeping our users and their data safe is a top priority. We’re grateful to independent security researchers and the community for helping us keep our platform secure.

How to Report a Vulnerability
If you think you’ve found a security issue, please use our Security Contact Form to let us know.
It’s helpful if you can include:

• What the vulnerability is

• Steps to reproduce it (screenshots or code snippets are welcome)

• Why you think it matters

• Your preferred contact details

What to Expect from Us

• We’ll confirm we’ve received your report within 5 business days.

• We’ll review and investigate all valid reports as quickly as we can.

• We ask that you give us a reasonable amount of time (up to 30 days) to address any confirmed issues before sharing them publicly.

• With your permission, we’re happy to credit you on our Hall of Fame page for any valid, responsibly disclosed vulnerability.

• We don’t have a formal bug bounty programme at this time. Any recognition or reward is entirely at our discretion.

Working Together
We ask that you:

• Respect our users’ privacy and only test accounts you own or have permission to use.

• Please don’t exploit a vulnerability beyond what’s needed to show it exists.

• Avoid tests that could disrupt our services for other users.

What’s Not in Scope
Please note, we can’t treat the following as vulnerabilities:

• Suggestions about best practices or user experience

• Issues that depend on physical access or social engineering

• Attacks on our staff or users outside the platform

• Automated tools for denial-of-service or similar tests

Thank You
Thank you for helping us keep LaunchLemonade safe for everyone.
All reports and questions should go through our [Security Contact Form]([insert link]).