Lyric Cybersecurity Responsible
Disclosure Policy

Purpose

At Lyric we prioritize the security and privacy of our users, products, and services. We are committed to maintaining the highest standards of cybersecurity and welcome contributions from the security research community. This Responsible Disclosure Policy aims to facilitate the responsible reporting of security vulnerabilities to help us address and mitigate potential risks.

Scope

This policy applies to all web applications, mobile applications, and any other services or products provided by Lyric.

Our Commitment

  • We will acknowledge receipt of your vulnerability report within 5 business days

  • We will work with you to verify the vulnerability

  • We will provide an estimated timeline for remediating the vulnerability

  • We will notify you when the vulnerability has been resolved

  • We will not take legal action against individuals who discover and report security vulnerabilities by this policy

Reporting Guidelines

To ensure a smooth and effective disclosure process, please adhere to the following guidelines when reporting a vulnerability:

  1. Report Method: Send your findings to CISO@lyric.ai with the subject line "Vulnerability Report - [Brief Description]"

  2. Report Content: Include detailed information about the vulnerability, including:

    • A description of the vulnerability

    • Steps to reproduce the vulnerability

    • Potential impact of the vulnerability

    • Any available proof-of-concept or exploit code

    • All HTTP requests and responses used

    • HTML, screenshots, or any other supporting evidence

    • Recommended fix

    • Assumed impact

    • Your contact information (optional)

  3. Good Faith Testing: Conduct all vulnerability research in a manner that avoids:

    • Violating privacy or disrupting the operations of our services

    • Degrading user experience

    • Destroying or corrupting data

  4. Scope Exclusions: The following activities are prohibited and are not covered by this policy:

    • Physical attacks

    • Social engineering

    • Reverse engineering our software and services

    • Do not use malware, ransomware or exploit vulnerabilities found

    • Denial of Service (DoS) attacks

    • Spam

What We Ask of You

  • Non-Disclosure: Do not publicly disclose the vulnerability until we have confirmed that it has been resolved and give you permission to disclose it

  • Responsible Timing: Allow us a reasonable amount of time to fix the vulnerability

  • Avoid Exploitation: Do not exploit the vulnerability beyond what is necessary to confirm its existence

Acknowledgment and Recognition

If you report a valid security vulnerability and follow the guidelines of this policy, we will:

At Lyric’s discretion, you may be eligible for monetary compensation for your effort.

Legal Safe Harbor

We believe in a safe harbor for security researchers who discover and report vulnerabilities responsibly. If you adhere to this policy in good faith, we will:

  • Consider your actions authorized

  • Work with you to understand and resolve the issue quickly

  • Not initiate or support legal action against you

Changes to This Policy

We may update this policy from time to time. The most current version will always be available on our website. Your continued participation in our responsible disclosure program after any modifications to this policy will constitute your acceptance of the changes.

Contact

For any questions regarding this policy, please contact us at CISO@lyric.ai

Thank you for helping us keep Lyric secure.