Skip to main content
All CollectionsSecurity
Report Security Vulnerability
Report Security Vulnerability

Report security vulnerabilities in Level with guidelines on scope, disqualifiers, and submission. Contact us with questions.

Updated over a week ago

At Level, security is a top priority. We are dedicated to maintaining the confidentiality, integrity, and availability of our platform and services. We’re always looking out for potential vulnerabilities and running quarterly penetration tests with external security vendors. However, we know that real-world use can sometimes uncover issues we might miss, so we encourage users to report any security vulnerabilities they discover.

Scope of Security Reports

Before submitting a vulnerability report, please review our in-scope and out-of-scope guidelines.

In-scope Assets

  • Strong authentication: issues related to sign-in, sessions, OAuth, account recovery, password policies, and other authentication mechanisms.

  • Access control: bypasses, faults, cross-site request forgery (CSRF), and other issues related to access control.

  • Injection prevention: vulnerabilities related to SQL injection, cross-site scripting (XSS), method arguments, and other injection attacks.

  • Device management: issues related to the ability to access devices managed by other customers.

  • Vulnerabilities that require untrusted users on the same account: uploading malware, embedding phishing URLs in comments, RTLO based attacks in URLs, IDN homograph attacks, etc.

Note: Testing should be done on your own Level accounts. If you need a sandbox environment for testing, just let us know!

Out-of-scope Assets

The following issues are outside the scope of our security reports. These apply to all our in-scope assets.

Critical Exclusions

  • Attempting access to other customers' accounts.

  • Denial of service: disrupting other customers' access to their own accounts.

  • Social engineering of any kind against other customers or Level staff, including spearphishing attempts or contacting our support team.

  • Overwhelming our support team with messages. Don't fuzz Contact Support forms.

  • Physical intrusion.

  • Automated scanning, mail bombing, spam, brute-forcing, or automated attacks with programs like Burp Intruder.

  • Leaking, manipulating, or destroying any user data.

Technical Exclusions

  • Email spoofing, including SPF/DKIM/DMARC policies.

  • Hyperlink injection on emails

  • Rate limiting

  • Best practices concerns (we require evidence of a security vulnerability)

  • Sessions not being invalidated when 2FA is enabled

  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

  • Race conditions that don't compromise the security of any user or Level

  • Reports about theoretical damage without a real risk

  • The output of automated scanners without explanation

  • CSRF with no security implications (like Login/logout/unauthenticated CSRF)

  • Broken links

  • Missing cookie flags on non-security sensitive cookies

  • Attacks requiring physical or console access to a user's device

  • Missing security headers not related to a security vulnerability

  • Reports of insecure SSL/TLS ciphers unless you have a working proof of concept

  • Banner grabbing issues to figure out the stack we use or software version disclosure

  • Open ports without a vulnerability

  • Password and account recovery policies, such as reset link expiration or password complexity

  • Disclosure of known public files or directories, (e.g. robots.txt)

  • Reports of spam

  • Username/email address enumeration

  • Presence of autocomplete attribute on web forms

  • DNSSEC and DANE

  • HSTS or CSP headers

  • Host header injection unless you can show how a third-party can exploit it

  • Reflected File Download (RFD)

  • EXIF information not stripped from uploaded images

  • Existing sessions not being invalidated when 2FA is enabled

  • DoS targeting other users on the same account, e.g. using malformed inputs or crafted file uploads

  • DoS vulnerabilities based on submitting a large payload in an input field and triggering a 500 error

  • DoS vulnerabilities based on unlimited password length (hint: the password length is not unlimited)

  • DoS vulnerabilities based on lack of pagination or lots of user content slowing response times

  • Using product features like invitation/signup/forgot-password to deliver messages to any email address

  • Unrestricted file upload without a clear attack scenario or PoC

  • JavaScript code executed from a PDF within the browser's PDF viewer, where the attack surface is locked down (for example, JavaScript support in PDF in Chrome's PDF viewer is an intentional feature, so so long as it can't be used to mount an attack)

Assets in Scope

Disqualifiers

  • Reports without a detailed step-by-step explanation of how to replicate the issue and an attack scenario to demonstrate the risk.

  • Attempts to access other customers' accounts.

  • Denial of service: disrupting other customers' access to their own accounts.

  • Social engineering of any kind against other customers or Level staff, including spearphishing attempts or contacting our support team.

  • Overwhelming our support team with messages. Don't fuzz Contact Support forms.

  • Physical intrusion.

  • Automated scanning, mail bombing, spam, brute-forcing, or automated attacks with programs like Burp Intruder.

  • Leaking, manipulating, or destroying any user data.

Guidelines

To help us quickly address any issues, please include a detailed, step-by-step explanation of how to reproduce the vulnerability and a scenario showing the potential risk. Responsible disclosure is key—we commit to resolving bugs as quickly as possible.

If you’re creating a new account for vulnerability testing, please add "Tester" to your email address (e.g., [email protected]) to help us filter out test accounts from our metrics.

If you have any questions about this process, feel free to reach out to us at [email protected].

Did this answer your question?