Verify Vulnerability Disclosure
Responsible disclosure rules for verify.attestlayer.com.
This disclosure page covers verify.attestlayer.com only, including the browser verification UI, public verification slug pages, download mirrors served by Verify, and Verify-controlled static assets.
How to report
Email security@attestlayer.com with the affected URL, steps to reproduce, impact, and any supporting screenshots, logs, or proof-of-concept material.
AttestLayer will acknowledge receipt within 3 business days and will coordinate remediation before public disclosure.
Rules of engagement
- Keep testing non-destructive and narrowly scoped to the Verify surface.
- Do not exfiltrate data, degrade availability, or test against customer systems.
- Stop once you have enough evidence to demonstrate the issue safely.
- Do not social-engineer AttestLayer personnel or third-party providers.
Out of scope
- Issues that affect only customer environments, third-party processors, or non-AttestLayer systems.
- Denial-of-service testing, spam, click-fraud, or physical security claims.
- Reports that require public disclosure before AttestLayer has had a reasonable remediation window.
This page does not promise a bug bounty.
Verify is a public, read-only verification surface. It does not create a paid service relationship on its own.
