Security Policy & Coordinated Vulnerability Disclosure
Last updated: May 15, 2026 · Reviewed by Reggie London (TX Bar 24043514) and Njeri London (TX Bar 24043266), Co-Founding Partners
Scope
This policy covers security issues affecting:
- The landllawgroup.com website (all subdomains and paths)
- The
info@landllawgroup.comandsecurity@landllawgroup.commail infrastructure - DNS, mail-routing, and TLS configuration for landllawgroup.com
Out of scope
- Third-party services we use but do not operate (Google Workspace, GoDaddy hosting, Formspree, Intaker, YouTube). Report those directly to the vendor.
- Findings that require physical access to a device or to our office
- Findings that require social engineering of our staff, contractors, or clients
- Denial-of-service findings demonstrated by actually performing a DoS attack
- Brute-force, credential-stuffing, or rate-limit-bypass research targeting login or contact endpoints
- Reports generated solely by an automated scanner without manual validation
- Self-XSS that requires the victim to paste attacker-supplied content into developer tools or the URL bar
- Missing security headers without a working proof-of-concept that demonstrates exploitability
- Theoretical vulnerabilities without working proof-of-concept
How to report
Send your report by email to security@landllawgroup.com, or if you cannot reach us by email, by phone at (972) 370-5060. Please include:
- A description of the issue and its impact
- The URL or endpoint where the issue can be reproduced
- Step-by-step reproduction instructions (the steps a non-specialist could follow)
- Any proof-of-concept payload, request, or screenshot necessary to verify
- Your preferred contact method for follow-up
- Whether you would like to be named in our acknowledgments page (we default to anonymous unless you tell us otherwise)
What we commit to
- Acknowledgment within 72 hours of your report
- Initial triage and status update within 7 days
- Investigation in good faith, with periodic status updates while remediation is in progress
- Notification when the issue is resolved
- Credit on our acknowledgments page at your request
- No legal action against good-faith researchers who follow this policy (see Safe Harbor below)
Safe Harbor for Good-Faith Research
If you make a good-faith effort to comply with this policy during your security research, we will consider your research authorized, we will work with you to understand and resolve the issue quickly, and we will not initiate legal action against you, refer the matter for prosecution, or pursue civil claims against you. If your research is conducted in good faith but you inadvertently violate this policy, we will work with you in good faith to address the violation rather than treat it as a reason to escalate. This safe-harbor commitment applies only to security research conducted in accordance with this policy and only to the scope listed above; it does not waive any rights under attorney-client privilege, attorney work-product doctrine, or applicable law, and it does not authorize you to access, modify, exfiltrate, or destroy client data.
What we ask of you
- Reasonable disclosure timing. Give us a reasonable opportunity to remediate before public disclosure. We aim to resolve critical issues within 30 days and lower-severity issues within 90 days; if you believe your timeline should be different, please tell us in your initial report so we can agree on a coordinated date.
- Minimal access. Access only the data necessary to demonstrate the vulnerability. Do not access, modify, exfiltrate, or destroy data belonging to L and L Law Group, PLLC, our staff, our clients, or any third party.
- No service degradation. Do not run automated scans that materially affect site availability for legitimate users. Do not perform DoS attacks.
- No social engineering. Do not contact our staff, contractors, or clients pretending to be someone you are not.
- No data extortion or sale. If you discover what appears to be sensitive client information during testing, stop immediately and report the issue. Do not attempt to monetize or distribute the data.
Confidentiality
We are a law firm. Any information you encounter during security testing that appears to be confidential client information (anything that looks like attorney-client privileged communication, work product, or personal identifying information of a client) must be treated as confidential. Do not retain copies, do not share with third parties, and stop testing immediately if you suspect you have accessed protected client information. Notify us via the reporting channel and follow our remediation instructions.
Reporter recognition
Researchers who follow this policy and submit valid reports are credited on our acknowledgments page (unless they prefer anonymity). We do not currently operate a paid bug-bounty program.
Changes to this policy
This policy may be updated to reflect changes in our infrastructure or in industry practice. Material changes will be noted in the change log below. The current version is always available at landllawgroup.com/security-policy/ and is the version that governs your research.
Machine-readable contact information
Our RFC 9116 security.txt file is published at /.well-known/security.txt.
Reporting contact
Reggie London & Njeri London, Co-Founding Partners
L and L Law Group, PLLC
5899 Preston Rd, Suite 101
Frisco, TX 75034
Email: security@landllawgroup.com
Phone: (972) 370-5060
Change log
- 2026-05-15: Policy created. Initial coordinated-disclosure framework, safe-harbor language, scope/out-of-scope inventory, and 72-hour acknowledgment commitment published.