liftstack.ai
EN / ES
← Back to home

Responsible Disclosure

Last updated: 2026-05-01T00:00:00.000Z

This is a v1 template that requires lawyer review before launch. Consult a qualified attorney for legal advice specific to your situation.

1. Our Commitment

LIFTSTACK.AI takes security seriously. As a security-engineering firm, we hold ourselves to the same standard we apply to client engagements. If you discover a vulnerability in our systems, we want to hear from you. We commit to working with you in good faith to understand and remediate the issue.

2. Scope

In Scope

The following systems and assets are in scope for this policy:

  • The liftstack.ai website and all subdomains (*.liftstack.ai)
  • Any n8n automation instances we operate and expose on public URLs
  • Any AI agents or public-facing automation endpoints we deploy under the liftstack.ai domain
  • API endpoints operated by LIFTSTACK.AI

If you are unsure whether a target is in scope, email [email protected] before testing. We will confirm.

Out of Scope

The following are explicitly out of scope and must not be tested:

  • Third-party sub-processors (Cloudflare, Vercel, DigitalOcean, OpenAI, Anthropic, ElevenLabs, Resend, Cal.com, HubSpot, Notion). Report those issues directly to the relevant vendor.
  • Social engineering attacks against LIFTSTACK.AI staff or contractors
  • Physical security attacks
  • Denial-of-service and distributed denial-of-service attacks
  • Brute-force attacks against authentication endpoints
  • Automated scanner output submitted without a verified, demonstrable impact
  • Vulnerabilities in systems or applications that require privileged or insider access to discover
  • Findings that are purely theoretical and have no realistic exploit path

3. How to Report

Email: [email protected]

Optional: Encrypted Submission

If your report contains sensitive details, you may encrypt it using our PGP key.

PGP key fingerprint: [PGP fingerprint - to be published]

The public key is available at liftstack.ai/.well-known/security.txt.

What to Include

A useful report contains:

  • A clear description of the vulnerability and its potential impact
  • The affected system or URL
  • Step-by-step reproduction instructions
  • Proof-of-concept code or screenshots where applicable
  • Any relevant request and response payloads (redacted of third-party personal data where possible)

The more detail you provide, the faster we can triage and remediate.

4. What We Ask of Researchers

To qualify for safe harbor and recognition under this policy, you must:

  • Act in good faith and with the intent to improve security.
  • Limit your testing to confirming the existence and impact of a vulnerability. Do not access, copy, modify, or exfiltrate user data beyond the minimum needed to demonstrate the issue.
  • Do not destroy, corrupt, or alter any data.
  • Do not disrupt our services or degrade performance for other users.
  • Do not test systems that are out of scope.
  • Give us 90 days from the date of your report to remediate the issue before any public disclosure. If the issue is complex and you are willing to extend this window, contact us and we will work out a timeline together.
  • Report only to [email protected]. Do not disclose findings publicly, to third parties, or to our clients before coordinated disclosure.

5. What We Promise in Return

  • Acknowledgment within 72 hours: We will confirm receipt of your report within 72 hours.
  • Status update within 14 days: We will provide an initial assessment and a remediation timeline within 14 business days of receipt.
  • No legal action: We will not initiate or support legal action against you for security research conducted in good faith under this policy, within scope, and in compliance with the rules above.
  • Credit: If you request it, we will credit you by name (or alias) in our public security hall of fame upon disclosure or patch confirmation.
  • Bounty eligibility: We may, at our discretion, offer a monetary bounty for valid high-severity findings. We are an SMB-scale agency, not a funded unicorn. We make no guarantee of payment. If a bounty is offered, we will communicate it directly after triage.

6. Safe Harbor

LIFTSTACK.AI considers security research conducted under this policy to constitute authorized access under applicable computer fraud and abuse laws. We will not refer reports to law enforcement for activities conducted in good faith, within scope, and in accordance with this policy.

This safe harbor applies only to [LIFTSTACK.AI legal entity]. It does not bind third-party platforms, sub-processors, or other entities.

If you are uncertain whether a planned activity falls within this policy, ask us at [email protected] before proceeding.

7. Coordinated Disclosure

We follow a coordinated disclosure model with a default 90-day embargo from the date of report submission. After 90 days, or after a patch is confirmed, whichever comes first, you are free to publish your findings. We ask that you notify us 7 days before publication so we can review the draft and confirm no sensitive client data is inadvertently included.

We may request an extension for complex or systemic issues. Extensions require mutual agreement in writing.

8. Updates to This Policy

We may update this policy as our infrastructure evolves. The “Last updated” date at the top of this page reflects the current version. If you submitted a report under a prior version of this policy, the terms in effect at the time of submission apply.

9. Contact

[email protected]

[email protected] (general inquiries only, security reports sent to this address will be redirected and may be delayed)