Responsible Disclosure
At LazyEye, we take the security of our systems and our users' data seriously. If you have discovered a security vulnerability in our website, application, or infrastructure, we appreciate your help in disclosing it to us responsibly.
How to Report
Please report security vulnerabilities by emailing us at:
Please include as much information as possible to help us understand and reproduce the issue:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any proof-of-concept code or screenshots
- Your contact information for follow-up
Our Commitment
- We will acknowledge receipt of your report within 5 business days
- We will investigate and validate the reported vulnerability
- We will keep you informed of our progress
- We will resolve confirmed vulnerabilities as quickly as possible
- We will credit you (if desired) when the vulnerability is disclosed
Rules of Engagement
We ask that you:
- Do not access, modify, or delete data belonging to other users
- Do not perform actions that could harm the availability of our services (e.g., DDoS)
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it
- Act in good faith and make a reasonable effort to avoid privacy violations
- Do not use the vulnerability beyond what is necessary to demonstrate the issue
Scope
The following systems are in scope:
- lazyeye.nl
- app.lazyeye.nl
- The LazyEye API
Third-party services we use (e.g., AsterDex, MetaMask) are out of scope. Please report vulnerabilities in those services directly to their respective teams.
Legal Safe Harbor
If you comply with the rules outlined above, we will not take legal action against you regarding the reported vulnerability. We consider responsible disclosure activities conducted in accordance with this policy to be authorized.
Last updated: March 2026