At Level, security is a top priority. We are dedicated to maintaining the confidentiality, integrity, and availability of our platform and services. We’re always looking out for potential vulnerabilities and running quarterly penetration tests with external security vendors. However, we know that real-world use can sometimes uncover issues we might miss, so we encourage users to report any security vulnerabilities they discover.
Scope of Security Reports
Before submitting a vulnerability report, please review our in-scope and out-of-scope guidelines.
In-scope Assets
Strong authentication: issues related to sign-in, sessions, OAuth, account recovery, password policies, and other authentication mechanisms.
Access control: bypasses, faults, cross-site request forgery (CSRF), and other issues related to access control.
Injection prevention: vulnerabilities related to SQL injection, cross-site scripting (XSS), method arguments, and other injection attacks.
Device management: issues related to the ability to access devices managed by other customers.
Vulnerabilities that require untrusted users on the same account: uploading malware, embedding phishing URLs in comments, RTLO based attacks in URLs, IDN homograph attacks, etc.
Note: Testing should be done on your own Level accounts. If you need a sandbox environment for testing, just let us know!
Out-of-scope Assets
The following issues are outside the scope of our security reports. These apply to all our in-scope assets.
Critical Exclusions
Attempting access to other customers' accounts.
Denial of service: disrupting other customers' access to their own accounts.
Social engineering of any kind against other customers or Level staff, including spearphishing attempts or contacting our support team.
Overwhelming our support team with messages. Don't fuzz Contact Support forms.
Physical intrusion.
Automated scanning, mail bombing, spam, brute-forcing, or automated attacks with programs like Burp Intruder.
Leaking, manipulating, or destroying any user data.
Technical Exclusions
Email spoofing, including SPF/DKIM/DMARC policies.
Hyperlink injection on emails
Rate limiting
Best practices concerns (we require evidence of a security vulnerability)
Sessions not being invalidated when 2FA is enabled
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Race conditions that don't compromise the security of any user or Level
Reports about theoretical damage without a real risk
The output of automated scanners without explanation
CSRF with no security implications (like Login/logout/unauthenticated CSRF)
Broken links
Missing cookie flags on non-security sensitive cookies
Attacks requiring physical or console access to a user's device
Missing security headers not related to a security vulnerability
Reports of insecure SSL/TLS ciphers unless you have a working proof of concept
Banner grabbing issues to figure out the stack we use or software version disclosure
Open ports without a vulnerability
Password and account recovery policies, such as reset link expiration or password complexity
Disclosure of known public files or directories, (e.g. robots.txt)
Reports of spam
Username/email address enumeration
Presence of autocomplete attribute on web forms
DNSSEC and DANE
HSTS or CSP headers
Host header injection unless you can show how a third-party can exploit it
Reflected File Download (RFD)
EXIF information not stripped from uploaded images
Existing sessions not being invalidated when 2FA is enabled
DoS targeting other users on the same account, e.g. using malformed inputs or crafted file uploads
DoS vulnerabilities based on submitting a large payload in an input field and triggering a 500 error
DoS vulnerabilities based on unlimited password length (hint: the password length is not unlimited)
DoS vulnerabilities based on lack of pagination or lots of user content slowing response times
Using product features like invitation/signup/forgot-password to deliver messages to any email address
Unrestricted file upload without a clear attack scenario or PoC
JavaScript code executed from a PDF within the browser's PDF viewer, where the attack surface is locked down (for example, JavaScript support in PDF in Chrome's PDF viewer is an intentional feature, so so long as it can't be used to mount an attack)
Assets in Scope
Web App: https://app.level.io
API: https://api.level.io
Agent API: https://agents.level.io
Windows / macOS / Linux Agent
Disqualifiers
Reports without a detailed step-by-step explanation of how to replicate the issue and an attack scenario to demonstrate the risk.
Attempts to access other customers' accounts.
Denial of service: disrupting other customers' access to their own accounts.
Social engineering of any kind against other customers or Level staff, including spearphishing attempts or contacting our support team.
Overwhelming our support team with messages. Don't fuzz Contact Support forms.
Physical intrusion.
Automated scanning, mail bombing, spam, brute-forcing, or automated attacks with programs like Burp Intruder.
Leaking, manipulating, or destroying any user data.
Guidelines
To help us quickly address any issues, please include a detailed, step-by-step explanation of how to reproduce the vulnerability and a scenario showing the potential risk. Responsible disclosure is key—we commit to resolving bugs as quickly as possible.
If you’re creating a new account for vulnerability testing, please add "Tester" to your email address (e.g., [email protected]
) to help us filter out test accounts from our metrics.
If you have any questions about this process, feel free to reach out to us at [email protected].