Security Policy

Last updated:

Leftward Labs LLC is a one-person studio. We take security reports seriously and respond quickly. This page explains how to reach us, what is in scope, and what to expect in return.

How to report a vulnerability

Email security@leftwardlabs.com with a short description, reproduction steps, and any proof of concept. Encryption is optional · if you want it, ask and we will publish a PGP key.

The machine-readable contact record lives at /.well-known/security.txt per RFC 9116.

What we promise

  • Acknowledgement within 48 hours. A human reply, not an autoresponder, confirming we received the report.
  • Status update within 7 days. Either a confirmed reproduction, a request for more information, or a "not reproducible" note with reasoning.
  • Credit in release notes. Once a fix ships, we credit the reporter by name (or handle, or anonymously · your call).
  • 90-day disclosure window. We ask for 90 days from acknowledgement before public disclosure. If the fix ships sooner, you can disclose sooner. If we need longer for a hard fix, we will explain why and agree on a new date with you.

Scope

In scope:

  • The RiftWords mobile application on iOS and Android.
  • The leftwardlabs.com website and any subdomain we operate.
  • Any Leftward Labs LLC infrastructure that handles user data.

Out of scope:

  • Third-party SDKs such as AppLovin, RevenueCat, or analytics providers. Please report those to the vendor directly.
  • App Store and Google Play platform issues. Report those to Apple or Google.
  • Reports requiring social engineering of staff or family.
  • Denial-of-service tests against the live website or game backend.

What we ask of you

  • Give us 90 days before public disclosure unless we agree otherwise.
  • Do not access data that is not your own.
  • Do not run automated scanning that degrades service for other players.
  • Stay within the scope above.

Researchers who follow these guidelines will not face legal action from Leftward Labs LLC for activity in scope. We do not have a paid bounty program at this time.

A note from the studio

Leftward Labs is one person. Triage may take a few hours longer outside US Pacific business hours. We will reach you within the 48-hour window regardless · thank you in advance for your patience and your work.