To maintain a high degree of security for our products and services, we currently offer the opportunity for security researchers to help us identify vulnerabilities and report them to our team.
The security of our infrastructure is important to us, so the feedback we receive is highly appreciated. It helps us to safeguard our services and deliver the best possible protection to our customers and their data.
Responsible disclosure policy
We operate with a policy of responsible disclosure for reporting security vulnerabilities. If you're involved with security research, here are our guidelines and the process for reporting possible vulnerabilities.
Do not attempt social engineering. This includes research against employees, team members, support representatives, etc.
Do not attempt physical security testing. This includes research against offices, data centers, etc.
Do not attempt denial-of-service (DoS) attacks. This includes application-level denial-of-service, distributed denial-of-service (DDoS), etc.
Do not attempt brute-force attacks or spam. This includes enumeration, password guessing, web directory guessing, etc.
Avoid research that sends emails, text messages, push notifications, or other communications to other users. You may test these communications on yourself, but should avoid creating more traffic than necessary.
Do not conduct security research activities on any of our vendors or other third-party partners.
If you encounter sensitive data, stop testing immediately. This includes personally identifiable information (e.g. names, email addresses, physical addresses, phone numbers), financial data, etc. Report potential issues and we will guide further testing.
Respect LegalZoom infrastructure, users, and other security researchers. Use your best effort to avoid causing harm to LegalZoom property or disrupting LegalZoom services.
Avoid submitting low-quality reports or those without a clear security impact.
This policy applies to the following systems:
Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in non-LegalZoom systems from our vendors fall outside of this policy's scope and should be reported directly to the vendor according to their own disclosure policy, should one exist.
If you aren't sure whether or not a system or endpoint is in scope, contact us at firstname.lastname@example.org before starting your research.
How to report a suspected security vulnerability
If you believe you've found a potential vulnerability, please complete and submit the responsible disclosure form below, providing as much detail as possible.
What happens next
LegalZoom will acknowledge your submission and review the reported issue. You'll be notified of whether the reported issue is validated, and if so, the priority level assigned.