Vulnerability Disclosure Policy

Fields Ghaffari Labs (FGL) — the owner of Lawcuments and its sibling sites — welcomes good-faith security research. If you believe you have found a security vulnerability in anything we run, we want to hear about it, and this page tells you how.

Scope

This policy covers the web properties Fields Ghaffari Labs owns and operates:

The underlying hosting platforms themselves (Dreamhost, Heroku, Google Workspace, GitHub) are not ours to authorize testing against — report issues in those platforms to their own security programs.

What we authorize

We authorize good-faith security research against the properties in scope: testing that respects users, avoids destruction, and stops at proof. Specifically, please:

Our commitment to you

If you follow this policy, we will not pursue or support legal action against you for your research. We consider good-faith research conducted under this policy to be authorized. We will work with you to understand and resolve the issue, and we won't share your report with third parties beyond what fixing the problem requires.

How to report

Email security@lawcuments.com with:

What to expect

We aim to acknowledge your report within five business days. We'll tell you what we make of the issue, keep you posted on remediation, and let you know when it's fixed. We're a small operation and don't run a paid bug bounty — but we take reports seriously, fix what's real, and are glad to credit you if you'd like.

Every site in scope publishes this policy in its /.well-known/security.txt (RFC 9116), pointing at this page.