In scope
Public Limvero web surfaces, authentication flows, tenant isolation boundaries, public API behavior, webhook signature handling and account security controls.
Vulnerability Disclosure Policy.
How to report security issues responsibly without putting restaurant operations or customer data at risk.
Responsible reporting
Limvero welcomes good-faith vulnerability reports that help protect restaurants, staff, guests and platform operations. Reports must avoid disruption, unauthorized access and unnecessary exposure of sensitive data.
Use contact form if email is unavailablesecurity@limvero.comEmergency boundary
If a test exposes data, grants unexpected access or affects service availability, stop immediately and report the details. Do not continue testing to prove broader impact.
Testing scope
Security testing must stay narrow, non-destructive and authorized.
Out of scope
Third-party providers, customer-owned infrastructure, social engineering, denial-of-service testing, physical attacks and issues requiring access to data you are not authorized to view.
No live data access
Do not access, modify, delete, export or disclose restaurant, staff, guest, order, loyalty, billing or operational data.
No service disruption
Do not run automated scanners, load tests, spam, brute force, destructive payloads or tests that could interrupt restaurant service.
Report contents
Where to report
Send vulnerability reports to security@limvero.com with enough detail to reproduce the issue safely. If email is unavailable, use the public contact form and mark the request as security-sensitive.
What to include
Include affected URL or endpoint, account context, reproduction steps, impact, screenshots or minimal proof, timestamps and whether any data may have been exposed.
What not to include
Do not send secrets, full customer exports, payment card data, government identifiers, excessive logs or unrelated personal data.
Coordinated disclosure
Allow Limvero time to validate, mitigate and communicate before public disclosure. Public timelines are coordinated case by case.
Safe testing rules
Use only accounts, tenants and data you are authorized to test.
Stop testing and report immediately if you encounter data that is not yours.
Keep findings confidential until Limvero confirms disclosure timing.
Do not pivot from a finding into broader access, persistence or lateral movement.
Response process
The process is designed for verification, mitigation and factual customer communication.
Triage
Limvero reviews the report, checks scope and determines whether the issue affects production, staging, public pages or customer data.
Mitigation
Confirmed issues are prioritized by impact, exploitability, affected tenants and operational risk, then tracked through fix and verification.
Communication
Material customer-impacting issues are communicated through appropriate account, product, legal or status channels.
Program boundary
This policy is not a bug bounty program and does not promise payment, swag, public credit, safe harbor outside the stated rules or legal advice.
Legal review boundary
This public policy describes the intended reporting workflow and must be aligned with final customer contracts, local law and legal counsel before paid public launch.
Plan a clean restaurant rollout.
Talk through locations, POS devices, kitchen workflow, menu migration, API needs and security review before launch.