Security
Last Updated: July 15, 2026
Responsible vulnerability disclosure
If you have discovered a vulnerability in a Lapel system, please report it to security@lapel.com. We read every report, and reports may be submitted anonymously. Our full vulnerability disclosure policy covers scope, rules of engagement, and disclosure timelines.
We will not take legal action against, nor ask law enforcement to investigate, researchers who work with us in good faith, including:
Sharing the full details of the issue with us promptly
Making every effort to avoid violating our customers' (or our) privacy, destroying data, and interrupting or degrading our services
Using exploits only to the extent needed to confirm a vulnerability, not to access data, establish persistence, or pivot to other systems
Testing only with accounts you own or are authorized to use
Giving us a reasonable amount of time to fix the issue before disclosing it publicly
What to expect: we'll acknowledge your report within 3 business days and aim to remediate confirmed vulnerabilities within 90 days. We don't currently operate a bug bounty program or offer monetary rewards.
Questions
For any other security-related questions, email security@lapel.com.