What is in scope
This disclosure path covers the attestlayer.com root site only, including the company pages, trust pages, policy pages, and root-domain corporate contact routes served on that domain.
Issues affecting buy.attestlayer.com, partners.attestlayer.com, verify.attestlayer.com, registry.attestlayer.com, or other non-root surfaces should be reported through the disclosure page for the relevant domain. Third-party platforms, customer systems, or content that AttestLayer does not operate are out of scope.
How to report an issue
Email security@attestlayer.com with enough detail for reproduction.
- The affected URL, host, or surface.
- Clear steps to reproduce the issue.
- The observed impact and any suggested severity.
- Timestamps, screenshots, logs, or proof-of-concept material that helps confirm the report.
Rules of engagement
AttestLayer asks researchers to keep testing safe, targeted, and non-destructive.
- Do not exfiltrate or publicly expose customer or user data.
- Do not degrade service availability or run denial-of-service testing.
- Do not modify data that does not belong to you.
- Stop once you have enough evidence to demonstrate the issue safely.
Coordination and disclosure expectations
AttestLayer will acknowledge receipt within 3 business days and will work toward a coordinated remediation path. Please do not publish exploit details before AttestLayer has had a reasonable chance to investigate and address the issue.
AttestLayer does not promise a bug bounty on this page. If a report is especially helpful, recognition can still be discussed directly with the reporter.
