InstaLaw security

Disclosure guidelines

How we handle vulnerability reports — what you can expect from us, and what we ask in return. If you're testing in good faith and following the rules below, we've got your back.

Last updated: April 2026

Safe harbor

InstaLaw will not pursue civil or criminal legal action against researchers who:

  • Act in good faith and follow these guidelines
  • Do not access, modify, or delete data belonging to other users
  • Do not degrade service availability (no DoS/DDoS testing)
  • Report findings promptly and allow reasonable remediation time
  • Do not publicly disclose until we confirm the fix is deployed
  • Do not use automated scanning tools at scale without prior coordination
Reporting protocol
01
Document the vulnerability

Capture detailed reproduction steps, screenshots or video if applicable, and an assessment of the impact. The more detail you provide, the faster we can triage.

02
Submit your report

Use our web form at /report or email security@instalaw.io directly. If emailing, you may encrypt your report with our PGP key. Do not report vulnerabilities through public channels (GitHub issues, social media, etc.).

03
Receive acknowledgment

We will acknowledge receipt within the SLA window for the severity level. You will receive a tracking ID for your report.

04
Coordinate on remediation

We will keep you informed of our progress. If we need additional information, we will reach out. We aim to remediate within our target windows.

05
Disclosure and recognition

Once the fix is deployed and verified, we will coordinate public disclosure timing with you. With your permission, we will add you to our Hall of Fame.

Response SLAs

We commit to the following response and remediation timelines:

SeverityFirst ResponseRemediation Target
critical
24 hours24 hours
high
24 hours7 days
medium
72 hours30 days
low
1 week90 days
informational
Best effortDiscretionary
Compensation

InstaLaw is an early-stage product and we do not currently have the funding to operate a bug bounty program. We understand that security research takes real time and expertise, and we genuinely value every good-faith report we receive.

What we can offer today is public recognition on our Hall of Fame, a direct line to our engineering team, and our commitment to launching a formal bounty program as soon as our funding allows. Thank you for understanding.

Prohibited activities

The following activities are strictly prohibited and will void safe harbor protections:

  • Denial of service attacks or resource exhaustion testing
  • Accessing, downloading, or modifying other users' data
  • Social engineering attacks against InstaLaw employees or users
  • Physical attacks against InstaLaw infrastructure
  • Automated vulnerability scanning at scale without coordination
  • Testing against production systems with real user data
  • Public disclosure before coordinated timeline agreement
  • Submitting reports through third-party bounty platforms without prior arrangement

Contact

Email: security@instalaw.io

Need PGP? Mention it in your first email and we'll send a key before you share anything sensitive.