CampLegal – Security Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

CampLegal welcomes responsible security research. If you discover a vulnerability in our platform, we want to hear from you and will work with you to resolve it promptly.

Safe Harbor Protection
Acknowledgment for Valid Reports
SOC 2 Aligned

Report a Vulnerability

Please send all security vulnerability reports to our dedicated security email. Include a detailed description of the vulnerability, steps to reproduce, affected components, and your assessment of impact. We will acknowledge receipt within 2 business days.

security@camplegal.com

1Scope

This policy applies to vulnerabilities discovered in CampLegal's production systems and services. The following guidelines define what is in scope and out of scope for responsible disclosure.

In Scope

  • CampLegal web application (app.camplegal.com)
  • CampLegal public website (camplegal.com)
  • CampLegal API endpoints
  • Authentication and authorization flaws
  • Injection vulnerabilities (SQL, XSS, CSRF)
  • Sensitive data exposure
  • Server-side request forgery (SSRF)
  • Business logic vulnerabilities

Out of Scope

  • Denial of service (DoS/DDoS) attacks
  • Physical security attacks
  • Social engineering or phishing
  • Third-party services or applications
  • Spam or bulk messaging
  • Missing HTTP headers with no exploit
  • Clickjacking on static pages
  • Rate limiting on non-auth endpoints

2Responsible Disclosure Guidelines

We ask that all security researchers adhere to the following responsible disclosure principles:

  • Provide sufficient detail for us to reproduce and validate the vulnerability, including proof of concept where possible.
  • Do not access, modify, or delete data belonging to other users. Use only your own test accounts.
  • Do not perform actions that could degrade, disrupt, or damage CampLegal's services or infrastructure.
  • Do not disclose the vulnerability publicly until CampLegal has had a reasonable opportunity to investigate and remediate (minimum 90 days).
  • Do not use automated scanning tools that generate excessive traffic or could impact service availability.
  • Comply with all applicable laws throughout the research and disclosure process.

3Safe Harbor

CampLegal considers security research conducted in accordance with this policy to be authorized conduct. We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, provided they comply with the guidelines above.

If a third party initiates legal action against you for activities conducted in compliance with this policy, CampLegal will make it known that your actions were authorized under our Vulnerability Disclosure Policy.

4Our Commitment

When you submit a vulnerability report, CampLegal commits to the following:

  • Acknowledge receipt of your report within 2 business days.
  • Provide an initial assessment and expected timeline within 10 business days.
  • Work in good faith to remediate validated vulnerabilities in a timely manner.
  • Keep you informed of progress toward resolution.
  • Credit researchers (with consent) who report valid, previously unknown vulnerabilities in our security acknowledgments.

5Recognition & Eligibility

CampLegal does not currently offer monetary rewards for vulnerability reports. However, we do provide public acknowledgment (with your consent) to researchers who submit valid, previously unknown vulnerabilities. To be eligible for acknowledgment, your report must be the first report of the vulnerability and must follow the responsible disclosure guidelines outlined above.

© 2026 CampLegal, Inc. · 555 E City Ave, Suite 940, Bala Cynwyd, PA 19004
This policy is effective March 30, 2026 · Version 1.0 · security@camplegal.com