Security Program

Vulnerability Reporting Program

Help us maintain the security of the Ligantic platform by reporting vulnerabilities responsibly. We appreciate the security research community's efforts to keep our users safe.

Program Overview

Ligantic is committed to maintaining the highest security standards for our AI platform. We welcome responsible disclosure of security vulnerabilities and work closely with security researchers to address potential issues promptly.

Responsible Disclosure

We follow industry-standard responsible disclosure practices. Please report vulnerabilities through our secure reporting process below.

Scope

Our vulnerability reporting program covers the following assets:

In Scope

  • ligantic.com and all subdomains
  • Ligantic Cloud platform (*.ligantic.cloud)
  • Ligantic Apps* (*.ligantic.app)
  • Ligantic API endpoints
  • Authentication and authorisation systems
  • Data processing and AI model endpoints
  • Third-party integrations managed by Ligantic

Out of Scope

  • Social engineering attacks
  • Physical security issues
  • Denial of Service (DoS) attacks
  • Issues in third-party services not managed by us
  • Vulnerabilities requiring physical access
  • Issues that require user interaction beyond normal usage
  • Spam or content injection without security impact

If you're unsure whether an issue is in scope, please contact us for clarification.

Note: We do not consider vulnerabilities in third-party services that we do not control, such as cloud providers or external APIs, to be in scope.

* Ligantic Apps refers to applications built on the Ligantic platform, including those hosted on ligantic.app or other subdomains. User-specific configuration or data is not in scope unless it directly impacts the security of the platform or its users.

Severity Guidelines

We classify vulnerabilities based on their potential impact and exploitability:

Critical

Remote Code Execution, SQL Injection

Vulnerabilities that allow complete system compromise or access to sensitive data.

High

Authentication Bypass, Privilege Escalation

Vulnerabilities that compromise user accounts or allow unauthorised access.

Medium

XSS, CSRF, Information Disclosure

Vulnerabilities that could lead to data exposure or user compromise.

Low

Minor Information Leaks, Configuration Issues

Vulnerabilities with limited impact or requiring significant user interaction.

Reporting Guidelines

To help us process your report efficiently, please include:

  • Detailed description of the vulnerability
  • Steps to reproduce the issue. Your steps must include the full context of your proof of concept (e.g., IDs for Organisations, Spaces, Flows, Experiences, Schemas, or other entities involved). Without this, we may be unable to verify the report, which can result in failure to dispense rewards.
  • Proof of concept (screenshots, videos, or code)
  • Potential impact and affected systems
  • Your assessment of the severity level
  • Any suggested remediation steps

Our Response Process

1

Acknowledgment

We'll confirm receipt of your report and provide a tracking reference.

2

Initial Assessment

Our security team will validate and assess the severity of the reported vulnerability.

3

Resolution

We'll work to resolve the issue as quickly as possible and keep you updated on our progress.

4

Resolution & Disclosure

We'll notify you when the issue is resolved and coordinate public disclosure (if appropriate).

Reward Eligibility

Our reward amounts are intended to be consistent with other equivalent programs. The final amount awarded depends on many factors, including:

  • Quality of report (e.g. inclusion of a clear PoC (ideally with video or screenshots), demonstration of impact/severity, provision of any necessary details to reproduce.)
  • Severity of issue (i.e. the scale of the compromise to confidentiality or integrity of user data in the context of Ligantic's business goals and customer commitments)
  • Impact of issue (i.e. the scale of the affected users or aspects of Ligantic's business affected by the issue.)

Higher bounties will be paid for particularly severe vulnerabilities, and lower bounties will be paid for vulnerabilities with limited scope or presented with a subpar report. We may also decide that a single report constitutes multiple issues, or multiple reports are sufficiently similar that they warrant only a single reward.

The first comprehensive, responsibly disclosed report for any particular issue will be eligible for a paid reward, and all subsequent reports for the same issue will not be eligible. The Vulnerability Report submission timestamp or email timestamp at security@ligantic.com will be the sole discriminator for determining the first received report. We may decide at our discretion to reward a later report if the first report is of insufficient quality to enable effective remediation. Reports which break the guidelines of responsible reporting will not be eligible for any reward.

Non-qualifying Vulnerabilities

Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the issues that typically do not earn a monetary reward:

  • Bugs requiring exceedingly unlikely user interaction
  • Brute forcing
  • User enumeration
  • Non security related bugs (e.g. disclosure of server/software versions)
  • Abuse
  • Phishing
  • CSRF to log in or log out (unless chained with another vulnerability to demonstrate impact)

Submit a Vulnerability Report

Use the form below to securely report a security vulnerability

Include the full context of your proof of concept (e.g., IDs for Users, Organisations, Spaces, Flows, Experiences, Schemas, or other entities involved). Without this, we may be unable to verify the report, which can result in failure to dispense rewards.

Screenshots, videos, or code demonstrating the vulnerability

All vulnerability reports are handled confidentially and in accordance with our responsible disclosure policy.

Legal Notice

Please review the following important legal considerations before participating in our vulnerability reporting program:

Program Participation: By participating in our vulnerability reporting program, you agree to: (1) Not access, modify, or delete data belonging to others (2) Not perform testing that could degrade our services (3) Not publicly disclose vulnerabilities until we've had time to address them (4) Act in good faith and avoid privacy violations

Sanctions Restrictions: We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.

Tax Implications: You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

Program Nature: This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Legal Compliance: Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

Policy Modifications: We reserve the right to modify this vulnerability reporting policy or terms at any time. Any changes will be effective immediately upon posting to this page.

Last revised: 8 September 2025