Security & responsible disclosure
Last updated: May 29, 2026. This page is scoped to the Family Law Center routes; the platform-wide security posture is at /trust/brain.
Why this product gets special treatment
Family Law Center serves survivors of domestic violence and people leaving high-conflict relationships. A bug on our marketing landing is a bug. A bug that exposes a matter UUID to the wrong person, leaks a safe-mode state, or weakens the quick-exit primitive can put a real person in physical danger.
We will triage any disclosure within 72 hours, and safety-relevant disclosures get same-day attention. We publish acknowledgments (with permission) and do not send legal threats to researchers acting in good faith.
In scope
/family/*consumer routes (marketing, matter dashboard, panels, settings)/api/family/*consumer APIs (matter CRUD, vault, briefs, mediation, settlement, support calc, post-order, forms)/family/opposing-counsel/viewpublic HMAC-gated share view/family/matter/[id]/calendar.icspublic calendar subscription (HMAC-gated)/embed/family-intake/[slug]iframe-safe intake embed/attorney/dashboard/family-inbox/*attorney-side surfaces/admin/family/*admin surfaces (note: unauthenticated probes only; do not access real admin data)
Out of scope
- Denial-of-service via volume against any endpoint
- Social engineering targeting LawSensai employees, our attorneys, or our users
- Physical attacks against LawSensai facilities
- Findings already documented in the public audit reports in our repository
- Findings whose only impact is on a researcher's own test account
Safe-harbor
We will not pursue legal action against researchers who:
- Act in good faith and report directly to us
- Do not access, modify, exfiltrate, or destroy other users' data
- Stop as soon as they have confirmed a finding, and give us a reasonable window to fix before public disclosure
- Comply with applicable law
How to report
Email security@lawsens.ai with:
- A clear description of the finding
- Steps to reproduce, ideally with a video or screenshots
- The affected URL or API endpoint
- Any proof-of-concept artifacts (no real user data)
PGP key for sensitive reports is available on request. Tag safety-relevant findings with [SAFETY] in the subject for same-day triage.
What to expect after reporting
- Acknowledgment within 72 hours (same day for
[SAFETY]) - Triage decision + rough timeline within 5 business days
- Fix shipped, then verification round-trip with you
- Public acknowledgment (with your permission) once the fix is live
External pen-test commitment
Family Law Center is scoped for an annual external penetration test by an independent third party. The test report's executive summary is published to this page once available; the detailed findings stay internal until remediated and re-tested.
Past disclosures
When a researcher disclosure leads to a code change, we link the commit + PR here with the researcher's permission. The list below is intentionally short because the platform is young; we expect it to grow.
No public disclosures yet. We have completed an internal NNEDV-principles-aligned self-audit (Tier 2 closeout); the findings + fixes are in the repository underFamilyLawCenter_Audit_Report.md.