Legal

Responsible disclosure

How to report security vulnerabilities in LoggerMan.

Last updated: 2026-06-03

Our approach

We appreciate researchers and customers who report security issues responsibly. Please do not test against other customers' projects, exfiltrate real log data, or attempt destructive actions on production systems.

What to report

  • Authentication or authorization bypasses in the dashboard
  • Ingest or API issues that expose another tenant's logs or tokens
  • Cross-site scripting or injection in the dashboard
  • Secrets exposed in client bundles or misconfigured endpoints
  • Billing or webhook handling that could affect other accounts

Out of scope

  • Social engineering, physical access, or denial-of-service tests
  • Issues in third-party services (Clerk, Convex, Stripe, Vercel) — report to them directly
  • Missing security headers without demonstrated impact
  • Brute-forcing credentials you do not own

How to submit

Email marvin.kiefer@swisswebdev.ch (or marvin.kiefer@swisswebdev.ch if security mail is unavailable) with:

  • A clear description and reproduction steps
  • Impact assessment (confidentiality, integrity, availability)
  • Optional proof-of-concept — use test projects and synthetic data where possible

Our commitment

We aim to acknowledge valid reports within five business days and provide a remediation timeline when appropriate. We do not currently operate a paid bug bounty program; we may recognize significant findings at our discretion.

See also our trust center, Privacy Policy, and Terms of Service.