Vulnerability Disclosure Program

At Level2, we take the security of our platform and the protection of our users' data very seriously. We value the work of the security research community and encourage responsible disclosure of vulnerabilities that may impact our systems.

If you believe you have discovered a security issue, we ask that you report it responsibly so that we can investigate and resolve the issue as quickly as possible.

Report a Vulnerability

If you believe you have discovered a security vulnerability in any Level2 service, please report it privately to our security team at security@trylevel2.com.

We ask that vulnerabilities are reported responsibly and not publicly disclosed until we have had reasonable time to investigate and address the issue.

When reporting a vulnerability, please include as much information as possible to help us reproduce and resolve the issue quickly.

A detailed description of the vulnerability.
Step-by-step instructions to reproduce the issue.
Proof-of-concept (PoC) scripts, screenshots, or logs.
The potential security impact of the issue.
Any suggested remediation if available.

Our Response Process

Once a vulnerability report is received, our security team will review the submission and begin investigating the issue.

We aim to acknowledge vulnerability reports within 72 hours.
Our team will investigate and validate the reported issue.
We may contact you if additional information is required.
We will work to resolve verified issues as quickly as possible.
We will notify you when the vulnerability has been resolved.

In Scope

The following assets and vulnerability types are considered in-scope for responsible disclosure under this program.

Domains

trylevel2.com
*.trylevel2.com

Vulnerabilities

We are particularly interested in vulnerabilities that could impact user data, system integrity, or platform security.

Authentication bypass or account takeover vulnerabilities.
Broken access control or privilege escalation issues.
Insecure Direct Object References (IDOR).
Cross-Site Scripting (XSS).
Cross-Site Request Forgery (CSRF).
Server-Side Request Forgery (SSRF).
SQL Injection or NoSQL Injection.
Remote Code Execution (RCE).
Sensitive data exposure or unintended information disclosure.
Subdomain takeover vulnerabilities.
Security misconfigurations with meaningful security impact.

Out of Scope

The following issues are generally considered out of scope for this disclosure program unless a clear security impact is demonstrated.

Denial of Service (DoS / DDoS) attacks.
Brute force or credential stuffing attacks.
Missing security headers without exploit impact.
Clickjacking on pages without sensitive user actions.
Self-XSS that requires a user to manually paste code.
Vulnerabilities affecting third-party services or vendors.
Reports generated solely from automated scanning tools.
Social engineering or phishing attacks targeting personnel.

Testing Guidelines

To ensure that security research is conducted safely and responsibly, we ask researchers to follow the guidelines below when testing our systems.

Do not access, modify, or delete other users’ data.
Avoid automated scanning that may impact service availability.
Do not attempt denial-of-service or resource exhaustion attacks.
Do not exploit vulnerabilities beyond proof-of-concept.
Stop testing immediately if sensitive data is exposed.

Safe Harbor

Security research conducted in accordance with this policy will be considered authorized. Level2 will not initiate legal action against researchers who act in good faith, follow responsible disclosure practices, and comply with the guidelines described in this policy.

Hall of Fame

We greatly appreciate the contributions of security researchers who help improve the security of our platform through responsible disclosure.

Researchers who submit valid vulnerability reports may be publicly acknowledged in our Hall of Fame, unless they prefer to remain anonymous.

No entries yet — be the first to help secure Level2.