AttestLayer

AttestLayer Policy

Vulnerability Disclosure

AttestLayer welcomes responsible security reporting on the attestlayer.com root site. This page explains how to report an issue, what root-site scope is covered, and how coordinated disclosure works.

Updated 18 April 2026 Canonical root-domain policy

What is in scope

This disclosure path covers the attestlayer.com root site only, including the company pages, trust pages, policy pages, and root-domain corporate contact routes served on that domain.

Issues affecting buy.attestlayer.com, partners.attestlayer.com, verify.attestlayer.com, registry.attestlayer.com, or other non-root surfaces should be reported through the disclosure page for the relevant domain. Third-party platforms, customer systems, or content that AttestLayer does not operate are out of scope.

How to report an issue

Email security@attestlayer.com with enough detail for reproduction.

  • The affected URL, host, or surface.
  • Clear steps to reproduce the issue.
  • The observed impact and any suggested severity.
  • Timestamps, screenshots, logs, or proof-of-concept material that helps confirm the report.

Rules of engagement

AttestLayer asks researchers to keep testing safe, targeted, and non-destructive.

  • Do not exfiltrate or publicly expose customer or user data.
  • Do not degrade service availability or run denial-of-service testing.
  • Do not modify data that does not belong to you.
  • Stop once you have enough evidence to demonstrate the issue safely.

Coordination and disclosure expectations

AttestLayer will acknowledge receipt within 3 business days and will work toward a coordinated remediation path. Please do not publish exploit details before AttestLayer has had a reasonable chance to investigate and address the issue.

AttestLayer does not promise a bug bounty on this page. If a report is especially helpful, recognition can still be discussed directly with the reporter.

Record-only boundary

AttestLayer operates a record-only evidence issuance service. It is not an audit opinion, compliance certification, control framework, regulatory approval, or legal advisor. Verified or not-verified outcomes describe the packaging and signing of submitted records, not the legality, accuracy, or business meaning of the underlying activity. Adoption, endorsement, mandate, approval, or sponsorship by any bank, insurer, PSP, government body, regulator, platform, or institution is not implied unless a signed public agreement says so.