security policy

last updated: 2026-05-05

report a vulnerability to security@liv4all.com. acting in good faith under this policy means we will not pursue you. see safe harbour.

scope

this policy applies to systems Liv4All operates:

liv4all.com and its subdomains, including app.liv4all.com and hello.liv4all.com.
the Liv4All Telegram bot and the dedicated agent email addresses we issue to operators.
the public knowledge-base widget served from our infrastructure.

out of scope

denial-of-service or volumetric attacks against any Liv4All endpoint.
social engineering of Liv4All staff, operators, or our sub-processors' staff.
physical attacks against infrastructure, offices, or personal devices.
findings on third-party services (AWS, Google, Telegram, Anthropic, Browserbase, Brave, Formspree) where Liv has no remediation path. report those upstream.
missing best-practice headers without a demonstrable impact, theoretical attacks without proof-of-concept, automated scanner output without manual validation.

how to report

email security@liv4all.com with:

a clear description of the issue and its impact.
reproduction steps, ideally with a minimal proof-of-concept.
any artefacts (screenshots, logs, request traces) that help us validate quickly.
the affected URL or endpoint, and the date and time of testing.

PGP-encrypted reports are welcome — request our key in your initial mail and we'll respond with it.

response window

3 business days to acknowledge your report.
10 business days for an initial assessment, including triage and severity.
remediation timelines follow from severity. we'll keep you in the loop and credit you in any public write-up if you want.

safe harbour

we will not pursue legal action against researchers who, in good faith:

follow this policy and avoid privacy violations, destruction of data, and degradation of service.
only interact with accounts they own or have explicit permission to test.
give us reasonable time to remediate before public disclosure (we suggest 90 days, extendable by mutual agreement).
don't exploit any vulnerability beyond what's necessary to demonstrate it.
don't exfiltrate data beyond the minimum needed to prove impact, and delete anything they did access on request.

if your activity is consistent with this policy, we consider it authorised research and will not bring or support legal action against you. if a third party initiates legal action, we will make it clear that your actions were authorised.

contact

vulnerability reports: security@liv4all.com.
everything else (data requests, account help, press): support@liv4all.com.

machine-readable contact: /.well-known/security.txt.