Found a security issue? Tell us.

Email security@leadstosalesagency.com. PGP optional — request our key in the first message and we will reply with the fingerprint plus a key block. The machine-readable contact is also published at /.well-known/security.txt per RFC 9116.

Please do not file security reports through public GitHub issues, social media, or our regular contact form.

• • 1 business day — acknowledgment of receipt.
• • 5 business days — initial triage and severity assessment.
• • 30 days — fix or written remediation plan for high/critical severity.
• • 90 days — public disclosure (coordinated with you, if you wish to be credited).

• leadstosalesagency.com (and any subdomain)
• leadstosales.app (the CRM portal)
• Any public API surface under leadstosalesagency.com/api/
• Any first-party JavaScript on either domain

• • Hosting-platform vulnerabilities — please report directly to the platform vendor's security team
• • Vulnerabilities in third-party services we use (OpenAI, Google, Stripe, Twilio) — please report directly to those vendors
• • Brute-force, credential stuffing, or denial-of-service testing
• • Self-XSS or social-engineering attacks against Leads to Sales staff or clients
• • Physical security testing
• • Reports of missing best-practice headers without a working exploit (e.g., 'COOP not set on /xyz')

• We will not pursue legal action against you for good-faith research conducted under this policy.
• We consider activities consistent with this policy to be 'authorized' under the Computer Fraud and Abuse Act and state-equivalent laws.
• We will work with you to understand the issue and resolve it; we will credit you if you wish (and you may remain anonymous).

We do not currently run a paid bounty program. We do offer a public credit (researcher's choice) and, where possible, a small thank-you of the researcher's choosing.