What is in scope
This disclosure path covers the attestlayer.com root site only, including the company pages, trust pages, policy pages, and root-domain corporate contact routes served on that domain.
Issues affecting buy.attestlayer.com, partners.attestlayer.com, verify.attestlayer.com, registry.attestlayer.com, or other non-root surfaces should be reported through the disclosure page for the relevant domain. Third-party platforms, customer systems, or content that AttestLayer does not operate are out of scope.
How to report an issue
Email security@attestlayer.com with enough detail for reproduction.
- The affected URL, host, or surface.
- Clear steps to reproduce the issue.
- The observed impact and any suggested severity.
- Timestamps, screenshots, logs, or proof-of-concept material that helps confirm the report.
Rules of engagement
AttestLayer asks researchers to keep testing safe, targeted, and non-destructive.
- Do not exfiltrate or publicly expose customer or user data.
- Do not degrade service availability or run denial-of-service testing.
- Do not modify data that does not belong to you.
- Stop once you have enough evidence to demonstrate the issue safely.
Coordination and disclosure expectations
AttestLayer will acknowledge receipt within 3 business days and will work toward a coordinated remediation path. Please do not publish exploit details before AttestLayer has had a reasonable chance to investigate and address the issue.
AttestLayer does not promise a bug bounty on this page. If a report is especially helpful, recognition can still be discussed directly with the reporter.
Record-only boundary
AttestLayer operates a record-only evidence issuance service. It is not an audit opinion, compliance certification, control framework, regulatory approval, or legal advisor. Verified or not-verified outcomes describe the packaging and signing of submitted records, not the legality, accuracy, or business meaning of the underlying activity. Adoption, endorsement, mandate, approval, or sponsorship by any bank, insurer, PSP, government body, regulator, platform, or institution is not implied unless a signed public agreement says so.