Vulnerability Disclosure

This page covers buy.attestlayer.com only, including the direct-buyer storefront, buyer checkout pages, buyer sign-in request flows, and direct-buyer support or billing pages hosted on this domain.

1. How to report

If you believe you have found a security vulnerability, email security@attestlayer.com with:

• The affected URL or page on buy.attestlayer.com.
• Clear reproduction steps.
• Your assessment of impact or severity.
• Screenshots, logs, or a proof of concept if they help validate the issue safely.

2. Response targets

Please do not publicly disclose until we have had a chance to investigate and remediate. We will acknowledge receipt within 3 business days and provide status updates as appropriate.

3. Rules of engagement

• Keep testing non-destructive and narrowly scoped to buy.attestlayer.com.
• Do not exfiltrate or publish customer data.
• Do not degrade availability or run denial-of-service testing.
• Stop once you have enough evidence to demonstrate the issue safely.

4. Out of scope

• Customer environments, vendor systems, and third-party processors not operated by AttestLayer.
• Social engineering, physical security claims, spam, or reports that require public disclosure before a reasonable remediation window.
• Issues affecting other AttestLayer domains that have their own disclosure page.

This page does not promise a bug bounty. Helpful reports may still be acknowledged or discussed directly with the reporter.