InstaLaw security

Testing scope

This page defines what is in scope for security testing. Testing outside these boundaries may void safe harbor protections. When in doubt, reach out to security@instalaw.io before testing.

In scope
Web applications
Primary
  • instalaw.io and all subdomains
  • InstaLaw App (app.instalaw.io)
  • Attorney Directory (directory.instalaw.io)
  • Marketing site and landing pages
API endpoints
Primary
  • All /api/* route handlers across applications
  • Authentication and session management endpoints
  • File upload and document handling endpoints
  • AI chat streaming and inference endpoints
Authentication & authorization
Primary
  • Session management and token handling
  • Role-based access control (RBAC) enforcement
  • Workspace isolation and privacy boundaries
  • Admin panel access controls
Anonymization & privacy
Critical
  • PII redaction effectiveness
  • Anonymization bypass attempts
  • Data leakage through AI responses
  • Cross-workspace data isolation
Data storage
Primary
  • Database injection vulnerabilities
  • File storage access controls (Vercel Blob)
  • Encryption at rest effectiveness
  • Backup and export data exposure
Client-side
Secondary
  • Cross-site scripting (XSS) vectors
  • Client-side data exposure
  • Content Security Policy bypasses
  • Local storage / session storage exposure
Out of scope

The following are explicitly excluded from testing:

  • Third-party services (Vercel infrastructure, AI model providers, payment processors)
  • DNS infrastructure and domain registrars
  • Email delivery systems and SMTP servers
  • Social engineering, phishing, or pretexting against employees
  • Physical security of data centers or offices
  • Denial of service (DoS/DDoS) or resource exhaustion
  • Automated scanning without prior coordination (rate limit: 1 req/sec max)
  • Vulnerabilities in outdated browsers or non-supported platforms
  • Reports from automated tools without manual verification
  • Missing security headers that do not lead to exploitable vulnerabilities
  • Self-XSS or attacks requiring the victim to paste code into their console
  • Clickjacking on pages with no sensitive actions
Testing guidelines

Use test accounts only

Create your own accounts for testing. Never access accounts belonging to other users. If you need elevated permissions to test a specific flow, contact us.

Minimize impact

Limit the scope and duration of testing to what is necessary. Stop and report immediately if you inadvertently access data you should not have.

Rate limiting

Keep automated requests under 1 per second. For authenticated endpoints, stay well within the per-user rate limits. Coordinate with us for any load testing.

Data handling

Do not exfiltrate, store, or share any data you encounter during testing. Delete any test artifacts when you are done. Do not include real user data in reports.

Production vs. staging

Prefer staging environments when available. For production testing, limit to read-only operations where possible. Contact us for staging access.