Vulnerability Disclosure Policy
Last updated: July 17, 2026
MatterGuardian serves law firms, and we take the security of firm data seriously. We welcome good-faith security research and appreciate reports that help us keep the platform safe. This policy explains what is in scope, how to report, and what you can expect from us.
How to Report
Email dev@matterguardian.com with:
- A description of the issue and its potential impact
- Step-by-step instructions to reproduce it (proof-of-concept requests, URLs, or screenshots help)
- The account or environment you used for testing
We aim to acknowledge your report within three (3) business days and will keep you informed as we validate and remediate.
Scope
In scope: app.matterguardian.com and matterguardian.com, including the client portal and the integration (OAuth) flows.
Out of scope:
- Denial-of-service or other volumetric testing
- Social engineering, phishing, or physical attacks against our team, customers, or infrastructure
- Vulnerabilities in third-party platforms we use (Vercel, Supabase, Stripe, Resend, Clio) — report those to the respective vendor
- Automated scanner output without a demonstrated, reproducible impact
- Missing security headers, SPF/DKIM/DMARC configuration notes, or clickjacking on pages with no sensitive actions, unless you can show a concrete exploit
Rules of Engagement
- Test only with accounts and data you own (a trial account is sufficient) — never access, modify, or delete another firm’s data
- If a test unexpectedly exposes data that is not yours, stop immediately, do not save or share it, and report what happened
- Do not degrade the service for other users
- Give us a reasonable opportunity to remediate before any public disclosure
Safe Harbor
We will not pursue legal action against researchers who make a good-faith effort to follow this policy. Research conducted under this policy is considered authorized, and we will not initiate complaints under computer-misuse laws for activity that complies with it.
Remediation Timelines
Once a report is validated, we target the following remediation timelines:
- Critical / High severity — as soon as possible, targeting within seven (7) days
- Medium severity — targeting within thirty (30) days
- Low severity — targeting within ninety (90) days
We will confirm with you when the fix ships.
Recognition
We do not currently operate a paid bug bounty program. We are happy to credit researchers who report valid issues, with your permission, and we are genuinely grateful for your help.