LevelBlue Completes Acquisition of Cybereason. Learn more

Request a Demo

LevelBlue Completes Acquisition of Cybereason. Learn more

Submit RFP
Request a Demo
Services
Cyber Advisory
Managed Cloud Security
Data Security
Manage Detection & Response
Email Security
Managed Network Infrastructure Security
Exposure Management
Security Operations Platforms
Incident Readiness & Response
SpiderLabs Threat Intelligence
View All Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Operational Technology
End-to-end OT security
Microsoft Security
Unlock the full power of Microsoft Security
Securing the IoT Landscape
Test, monitor and secure network objects
Why LevelBlue
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
LevelBlue SpiderLabs
Global researchers, ethical hackers, and responders
LevelBlue Security Operations Platforms
Unprecedented security visibility and control
Security Colony
Access to cybersecurity threat protection resources
Partners
Microsoft
Unlock the full power of Microsoft Security
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

LevelBlue Vulnerability Disclosure Program

Overview

At LevelBlue, we are committed to delivering secure solutions and safeguarding the trust of our users and customers. We believe security researchers are an important part of that effort. If you believe you have discovered a vulnerability on or within a LevelBlue product, service, or application, we want to hear from you as soon as possible. We ask that you keep such reports private until we have resolved the issue.

In return, we will work to review reports and respond in a timely manner. Our partner, Bugcrowd, will engage with you initially to triage your submission. LevelBlue will not pursue legal action or engage law enforcement in response to the responsible discovery of security issues, provided that you (1) adhere to applicable laws; (2) adhere to the policies set forth herein, or any other LevelBlue policy as applicable; (3) comply with Bugcrowd’s Standard Disclosure Terms; (4) avoid any actions that compromise the privacy, safety, or security of our users or systems; (5) refrain from destroying any sensitive data you might have gathered from LevelBlue as part of your research until the issues are resolved; and (6) acknowledge and comply with LevelBlue's confidentiality terms as outlined in the Terms of Use published on our website at https://levelblue.com/terms/website

If you would like to publicly disclose a validated and resolved issue, contact us at cso@levelblue.com to request permission. We reserve the right to approve or deny disclosure requests at our discretion.

We appreciate your help in keeping LevelBlue safe. Your responsible research benefits everyone who uses our services. Thank you for your help!

Testing Guidelines

Researchers are expected to follow these responsible disclosure principles when identifying and reporting vulnerabilities:

  • Only test against domains listed in our in-scope targets
  • Do not attempt to access or alter any user data you do not own
  • Avoid activities that could disrupt services or degrade performance
  • Do not use social engineering, phishing, or physical attacks
  • Stop testing and notify us immediately if you find sensitive data

In-Scope

Testing is authorized only for the following domains:

  • Levelblue.com
  • Aveng.net
  • Aveng.me 
  • Alienvault.cloud
  • Alienvault.us
  • Levelblue.cloud
  • Levelblue.us
  • Levelblue.me

All other domains, services, or infrastructure - including any unlisted subdomains - are out of scope.

What We Are Interested In

LevelBlue welcomes reports on security issues that could significantly impact our systems or users. This includes, but is not limited to:

  • SQL injection, stored XSS, or other data exposure vulnerabilities
  • Broken authentication or session handling
  • Remote code execution
  • Logic flaws that lead to privilege escalation or data access
  • Novel techniques that bypass key controls

Excluded Vulnerabilities

Some issues are either well-known, low-impact, or not actionable. Please avoid reporting:

  • Denial-of-service techniques
  • User or email enumeration
  • Issues in outdated browsers, plugins, or unsupported apps
  • Public file disclosures with no clear impact (e.g., robots.txt)
  • Social engineering or phishing
  • SPF/DKIM/DMARC misconfigurations
  • Weak password requirements or CAPTCHA settings
  • SSL/TLS misconfigurations without a proven exploit
  • Cookie flag issues (e.g., HttpOnly, Secure) unless they lead to session compromise
  • Vulnerabilities in third-party services outside our control

You are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use it to test the extent of access it grants or to download or exfiltrate data to prove it is active. Similarly, if you identify a successful SQL injection, you are expected not to exploit the vulnerability beyond any initial steps needed to demonstrate your proof of concept.

Excessive exfiltration or downloading of LevelBlue data, or demanding payment in return for the destruction of LevelBlue data, is considered outside of the scope of this program, and LevelBlue reserves all rights, remedies, and actions to protect itself and its users.

LevelBlue reserves the right to update this program at any time without prior notice. Changes will be effective upon posting to this page unless stated otherwise. By participating in this program, you represent and warrant that you are not located in, under the control of, or a national or resident of any country subject to U.S. trade sanctions or export restrictions. You also confirm that you are not listed on any U.S. government denied party list. Participation must comply with all applicable export control laws and regulations.

Submitting a Report

All vulnerability submissions are managed by our partner, Bugcrowd. Once a report is submitted, Bugcrowd will perform the initial triage, validate the issue, and may reach out to you directly for clarification or additional information. Bugcrowd serves as the primary point of contact throughout the verification process, working closely with LevelBlue’s internal security team to ensure timely and effective resolution. LevelBlue retains sole discretion to approve or deny disclosure requests. 

To report a vulnerability, send an email to: levelblue@submit.bugcrowd.com

Make sure your email is clear and reproducible. Include:

  • Affected URL(s), endpoint(s), or system(s)
  • Step-by-step instructions for reproducing the issue(s)
  • Impact assessment
  • Any supporting screenshots, logs, or proof-of-concept code