A clear, step-by-step description of how to reproduce the vulnerability

The specific asset affected (see Assets in Scope below)

An attack scenario demonstrating the potential impact

Screenshots, video, or proof-of-concept code if applicable

Web app: https://app.level.io

API: https://api.level.io

Agent API: https://agents.level.io

Level agent: Windows, macOS, and Linux

Authentication and session management — sign-in flows, session handling, OAuth, account recovery, password policies

Access control — permission bypasses, CSRF, unauthorized access between accounts

Injection vulnerabilities — SQL injection, XSS, and other input-based attacks

Cross-customer device access — any path that lets one customer access another customer's managed devices

Account-level vulnerabilities — malware upload, phishing URL embedding, RTLO/IDN homograph attacks from untrusted users on the same account

Rate limiting

Best-practice concerns without evidence of an exploitable vulnerability

Sessions not invalidating when 2FA is enabled

Vulnerabilities only affecting users on outdated, unpatched browsers

Race conditions with no security impact

CSRF on actions with no security impact (login, logout, unauthenticated pages)

Theoretical risks without a demonstrated attack path

Output from automated scanners without explanation

Email spoofing / SPF / DKIM / DMARC policies

Hyperlink injection in emails

Missing security headers unless tied to a specific vulnerability

SSL/TLS cipher issues without a working proof of concept

Banner grabbing and software version disclosure

Open ports without a demonstrated vulnerability

DNSSEC / DANE

HSTS or CSP headers

Disclosure of known public files (e.g., robots.txt)

Username or email enumeration

Autocomplete attributes on web forms

Denial of service against other customers' accounts

Social engineering of any kind against other customers or Level staff

Spearphishing attempts or contacting support as part of testing

Physical intrusion

Automated scanning, mail bombing, spam, brute-forcing, or automated attacks (e.g., Burp Intruder)

Leaking, manipulating, or destroying user data

DoS via malformed inputs or crafted file uploads triggering 500 errors

DoS via unlimited or very large password inputs

DoS via lack of pagination or large amounts of user-generated content slowing responses

Lack step-by-step reproduction instructions

Involve accessing other customers' accounts

Involve social engineering Level staff or customers

Use automated attack tools against Level infrastructure

Result in leaking, modifying, or destroying user data

Where do I send vulnerability reports? Email [email protected] with full reproduction steps and an impact scenario.

Do you have a bug bounty program? No, we don't have a bug bounty program. Contact [email protected] with questions.

Can I test against other customers' accounts? No. Testing must be done on your own Level accounts. Accessing other customers' accounts is an immediate disqualifier and may have legal consequences. Contact us if you need a sandbox environment.

My report includes output from an automated scanner. Will that work? Only if it's accompanied by a clear explanation of the vulnerability, reproduction steps, and an attack scenario. Raw scanner output alone won't be acted on.

How quickly will you respond? Response times aren't guaranteed. Contact [email protected] directly if you have an urgent disclosure.