Vulnerability Disclosure Policy
Fields Ghaffari Labs (FGL) — the owner of Lawcuments and its sibling sites — welcomes good-faith security research. If you believe you have found a security vulnerability in anything we run, we want to hear about it, and this page tells you how.
Scope
This policy covers the web properties Fields Ghaffari Labs owns and operates:
- lawcuments.com and app.lawcuments.com
- expeal.com and app.expeal.com
- kitchenbridget.com
- tesibus.com
- dwendle.com
- FGL-operated application hosts on herokuapp.com subdomains
The underlying hosting platforms themselves (Dreamhost, Heroku, Google Workspace, GitHub) are not ours to authorize testing against — report issues in those platforms to their own security programs.
What we authorize
We authorize good-faith security research against the properties in scope: testing that respects users, avoids destruction, and stops at proof. Specifically, please:
- Make a good-faith effort to avoid privacy violations, data destruction, and interruption of service.
- Stop and report as soon as you can demonstrate an issue — don't pivot deeper, exfiltrate data, or persist access to prove impact.
- Never access, modify, or delete data that isn't yours. If you encounter someone else's personal data, stop and tell us.
- Don't run denial-of-service tests, spam, or social-engineering campaigns against us or our users.
Our commitment to you
If you follow this policy, we will not pursue or support legal action against you for your research. We consider good-faith research conducted under this policy to be authorized. We will work with you to understand and resolve the issue, and we won't share your report with third parties beyond what fixing the problem requires.
How to report
Email security@lawcuments.com with:
- the affected site or URL,
- what you found and why it matters,
- steps to reproduce it (proof-of-concept detail is welcome), and
- how you'd like to be credited or contacted, if at all.
What to expect
We aim to acknowledge your report within five business days. We'll tell you what we make of the issue, keep you posted on remediation, and let you know when it's fixed. We're a small operation and don't run a paid bug bounty — but we take reports seriously, fix what's real, and are glad to credit you if you'd like.
Every site in scope publishes this policy in its
/.well-known/security.txt (RFC 9116),
pointing at this page.