Responsible Disclosure

We work with security researchers in good faith. If you find a vulnerability that affects Last1 ID or any integrated app, tell us — we'll act on it.

How to report

Email security@last1.id. Include a short description of the issue, the steps to reproduce it, and the impact you believe it has. If a public proof-of-concept exists, link it — do not attach exploit code that could harm users.

A machine-readable copy of this policy is published at /.well-known/security.txt per RFC 9116.

What's in scope

Anything on last1.id and its API, the Last1 ID dashboard, the OAuth/OIDC implementation, the credential signing pipeline, and the trust-event ingestion APIs.

What's not in scope

Third-party services (Supabase, Cloudflare, Twilio) — report those directly to the provider. Spammy login attempts, missing security headers on landing-page assets, and known-issue duplicates are also out of scope.

Our commitment to you

We acknowledge your report within 3 business days, give you a triage status within 7 days, and coordinate disclosure timing with you before any public write-up. Reasonable, good-faith research will never get you sued under the CFAA or DMCA.

Safe harbor

If you follow this policy — no privacy violations, no service disruption, no destruction of data, no access beyond what is necessary to demonstrate the issue — we will not pursue civil or criminal action against you, and will defend you if a third party attempts to.

Disclosure timeline

Default 90 days from triage to public disclosure, extendable by mutual agreement. Credit goes to the reporter unless you ask otherwise.

Hall of fame

Researchers who have responsibly disclosed issues will be listed here with their permission. (We're new — be the first.)