Security Reporting Policy
At Lotly, we prioritize data security and believe that collaborating with skilled security researchers helps us uncover and address any vulnerabilities in our technology.
If you suspect you've discovered a security flaw in Lotly's services, please contact us. We will work together to swiftly resolve the issue.
Disclosure Policy
Report any security incidents, potential vulnerabilities, or security-related questions to privacy@lotly.ai. This is the same shared inbox that handles privacy, data-protection, and DSAR requests, so a single message reaches the people who need to triage it. We will respond promptly.
Please allow us adequate time to address the issue before publicly disclosing it or sharing it with third parties.
We ask that you avoid actions that could compromise privacy, damage data, or disrupt Lotly's services. Only interact with accounts you own or those for which you have explicit authorization from the account holder.
Scope
In scope: lotly.ai and its subdomains, and Lotly-operated web applications served from those domains.
Out of scope: production systems and databases containing live consumer-report or tenant data, third-party services and infrastructure not operated by Lotly, and Subscribers' own websites and systems. If you encounter personal information, consumer-report data, or another user's data during research, stop immediately, do not access, copy, download, or retain it, and report what you found to us. Do not exfiltrate data under any circumstances.
Safe Harbor
Security research conducted in good faith and in accordance with this policy is considered authorized, and Lotly will not initiate legal action against you for it. If a third party brings legal action against you for research that complied with this policy, we will make it known that your activities were conducted in accordance with this policy.
Exclusions
While conducting research, please refrain from the following activities:
- Distributed Denial of Service (DDoS) attacks
- Spamming
- Social engineering or phishing attempts targeting Lotly employees or contractors
- Any attacks on Lotly's physical property or data centers
Thank you for your efforts in helping us safeguard Lotly and our users!
Updates
These guidelines may be updated periodically. The latest version will always be available on this page.
We welcome your feedback, questions, and suggestions. Feel free to reach out to us at privacy@lotly.ai.