Responsible disclosure

If you find a hole, we want to know about it.

LeakSource takes security seriously. If you’ve discovered a vulnerability in our systems or infrastructure, this page explains how to report it safely, what’s in scope, and what you can expect from us.

How to report a vulnerability

Please include as much detail as you can:

Exact asset or URL you tested.
Step-by-step instructions to reproduce.
Any proof-of-concept code or screenshots.
Impact you believe the issue could have.

Send your report to inquiries@leaksource.us with the subject line: Security vulnerability report.

We’ll confirm we received your report, investigate it, and keep you updated until it’s fixed or we have a clear assessment.

Our commitment to you

We will not take legal action against good-faith research.
We will treat your report as confidential and won’t share your identity without your consent.
We will credit you (if you want) once the issue is resolved.

Scope

Scope & out-of-scope

In scope (examples):

Vulnerabilities on leaksource.us and subdomains we own.
Authentication, authorization, and session issues.
Insecure direct object references (IDORs).
Injection flaws (SQLi, XSS, etc.).
Exposed secrets or sensitive configuration.

Out of scope (examples):

Denial-of-service (DoS / DDoS) attacks or traffic flooding.
Spamming, social engineering, or phishing LeakSource staff or clients.
Physical security testing.
Vulnerabilities in third-party products we use but don’t control.

If you’re unsure whether something is in scope, reach out first and we’ll clarify.

Safe-harbor expectations

Avoid accessing more data than needed to prove your point.
Don’t pivot into client data or infrastructure.
Don’t permanently alter or destroy data.
Give us a reasonable amount of time to fix the issue before publicly disclosing it.

Will you pay bounties?

Right now, LeakSource runs a discretionary reward model. For high-impact, clearly documented vulnerabilities, we may offer a thank-you bonus, merch, or future program access at our discretion.

Either way, responsible researchers help us protect businesses from real attackers. If you’re pointing out issues to harden LeakSource, you’re on our side.