Security Disclosure / Vulnerability Reporting Policy

Effective Date: 2026-05-04

---

1. Purpose

Simon Law Group, LLC ("SLG") values the work of security researchers. This Policy explains how to report security vulnerabilities you find in our systems and what to expect from us. A machine-readable copy is published at https://www.simonattorneys.com/.well-known/security.txt per RFC 9116.

2. Scope

In scope:

• www.simonattorneys.com and subdomains operated by SLG;
• app.simonattorneys.com and authenticated functionality therein, where the testing complies with this Policy;
• official mobile applications, if and when published.

Out of scope:

• third-party vendor systems (Google Workspace, Plaid, Stripe, LawPay, SendBlue, OpenAI, SRFax, Turso, Render, GoDaddy, AFI.ai, SecureSign) — please report directly to those vendors;
• vulnerabilities in dependencies that we did not configure;
• physical security of SLG offices;
• social engineering of staff or clients;
• denial-of-service or volumetric attacks;
• spam, brute-force, or rate-limit testing;
• automated scanning that generates significant traffic.

3. Rules of engagement

You must:

1. Make a good-faith effort to avoid privacy violations, data destruction, service disruption, and impact to others.

2. Use only your own test accounts. Do not interact with other users' data.

3. Stop immediately when you confirm a vulnerability — do not exfiltrate, retain, or share data beyond what is necessary to demonstrate the issue. Under no circumstances may you access, view, copy, download, retain, or transmit client matter data, PHI, payment data, government-issued identifiers, or attorney-client privileged communications, even if access is technically possible. If your testing reveals such data, stop, report immediately, and do not retain any copy.

4. Report promptly through the channel below.

5. Do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate (see Section 6).

4. How to report

• Email: security@simonattorneys.com
• Encrypted communication: to exchange information securely, email security@simonattorneys.com and we will arrange an encrypted channel.

Include:

• description of the vulnerability;
• steps to reproduce;
• proof-of-concept (no destructive payloads);
• impact assessment;
• your contact information.

5. Safe harbor

If you make a good-faith effort to comply with this Policy, SLG will:

• not pursue or support legal action against you for the security research conducted under this Policy;
• consider your activity authorized for purposes of the Computer Fraud and Abuse Act and analogous state laws;
• consider your activity exempt from any contractual restrictions in our terms that would otherwise prohibit it;
• work with you to understand and validate your report;
• recognize your contribution if you wish.

The safe harbor does not apply where you violate this Policy, harm third parties, or violate other laws (such as the Wiretap Act or the Stored Communications Act). The safe harbor applies only to systems within the in-scope list in Section 2; activity targeting third-party vendor systems (Google Workspace, Plaid, Stripe, LawPay, SendBlue, OpenAI, SRFax, Turso, Render, GoDaddy, AFI.ai, SecureSign) is governed by those vendors' own policies, and SLG does not waive any rights as to such activity.

6. Disclosure timeline

We will:

• acknowledge receipt within 3 business days;
• provide a substantive response within 10 business days;
• aim to remediate qualifying vulnerabilities within 90 days;
• coordinate public disclosure with you when remediation is complete.

If we are unable to remediate within 90 days, we will explain why and propose a timeline.

7. Compensation

We do not currently operate a paid bug-bounty program. We thank researchers publicly (with permission) and may offer non-monetary recognition.

8. Reporting a security incident affecting you

If you believe your account has been compromised or you have received a suspicious message claiming to be from SLG, contact info@simonattorneys.com and (800) 709-1131 immediately.