Responsible Disclosure — Liora Security

Safe harbor

Liora considers security research conducted in good faith under this policy to be authorised activity. We will not pursue civil claims or notify law enforcement against researchers who follow the rules below. If you are uncertain whether something is in scope, ask first at [email protected].

What is in scope

The Liora web app at https://liora.fm and subdomains.
The public REST and WebSocket APIs at https://api.liora.fm.
Liora-developed mobile / desktop installers (when published).
Authentication, authorisation, billing, file uploads and content moderation flows.

What is out of scope

Third-party services we integrate with (Stripe, Postmark, Cloudflare, Replicate, Persona) — please report those to the vendor.
Reports relying solely on missing best-practice headers without demonstrable impact.
Self-XSS, CSV injection without a clear attack chain, vulnerabilities only exploitable in obsolete browsers (more than 2 years old).
Denial-of-service attacks against production infrastructure.
Social engineering of Liora staff.
Physical attacks against Liora offices or data centres.

Rules of engagement

Test only against your own account. Use the free tier — we do not require a paid plan to research.
Do not access, modify or delete other users' data. If you incidentally encounter another user's data, stop and report it.
Do not run automated scanners that generate sustained traffic. A single proof-of-concept request is fine; ten thousand are not.
Do not exfiltrate more data than the minimum needed to demonstrate the issue.
Do not publicly disclose the vulnerability until we have confirmed it is fixed (or 90 days have elapsed without a fix).
Do not extort or threaten. Reports asking for a "bounty before details" are ignored.

What to include in your report

A clear description of the vulnerability and where it lives (URL, endpoint, parameter).
Steps to reproduce, with screenshots, video or HTTP requests.
Your assessment of impact (data at risk, privilege gained).
Suggested mitigation, if you have one.
How you would like to be credited (or "anonymous").

What we commit to

Acknowledge your report within 1 business day.
Triage and assign a severity within 3 business days.
Provide regular status updates while we work on a fix.
Credit you in our security hall of fame at /security/hall-of-fame, unless you ask us not to.
Pay a bounty for high-impact issues at our discretion (we are still finalising the public bounty programme).

Encrypted reports

For high-sensitivity reports, encrypt your message with our PGP key (fingerprint published at https://liora.fm/.well-known/security.txt). The same key signs our security advisories.

Critical issues

If you have evidence of an active breach (e.g., user data being exfiltrated right now), email [email protected] with subject line starting [URGENT] and we will escalate within minutes.

What is out of scope

Third-party services we integrate with (Stripe, Postmark, Cloudflare, Replicate, Persona) — please report those to the vendor.

Reports relying solely on missing best-practice headers without demonstrable impact.

Self-XSS, CSV injection without a clear attack chain, vulnerabilities only exploitable in obsolete browsers (more than 2 years old).

Denial-of-service attacks against production infrastructure.

Social engineering of Liora staff.

Physical attacks against Liora offices or data centres.

Rules of engagement

Test only against your own account. Use the free tier — we do not require a paid plan to research.

Do not access, modify or delete other users' data. If you incidentally encounter another user's data, stop and report it.

Do not run automated scanners that generate sustained traffic. A single proof-of-concept request is fine; ten thousand are not.

Do not exfiltrate more data than the minimum needed to demonstrate the issue.

Do not publicly disclose the vulnerability until we have confirmed it is fixed (or 90 days have elapsed without a fix).

Do not extort or threaten. Reports asking for a "bounty before details" are ignored.

What we commit to

Acknowledge your report within 1 business day.

Triage and assign a severity within 3 business days.

Provide regular status updates while we work on a fix.

Credit you in our security hall of fame at /security/hall-of-fame, unless you ask us not to.

Pay a bounty for high-impact issues at our discretion (we are still finalising the public bounty programme).

Encrypted reports

For high-sensitivity reports, encrypt your message with our PGP key (fingerprint published at https://liora.fm/.well-known/security.txt). The same key signs our security advisories.

Critical issues

If you have evidence of an active breach (e.g., user data being exfiltrated right now), email [email protected] with subject line starting [URGENT] and we will escalate within minutes.