LEVRG logo — negotiation intelligence for dealership sales floorsBack to home

LEVRG Corp.
Effective date: June 15, 2026

Vulnerability disclosure policy

LEVRG welcomes good-faith security research that helps us protect our customers and platform. This page describes how to report vulnerabilities in LEVRG-owned systems.

Contact: security@levrg.ai
Mailing address: 3101 W Drexel Ave Unit 217, Franklin, WI 53132, United States

Scope

This policy covers security issues in:

  • Public website and application at https://www.levrg.ai (including authenticated rep, manager, and admin workflows)
  • LEVRG API hosted at https://levrg.onrender.com when the issue affects LEVRG application code or configuration under our control
  • Subdomains of levrg.ai that serve LEVRG product or marketing content

Reports for LEVRG web and API properties should use the contact in our security.txt file at levrg.ai.

Out of scope

Please do not report the following through this channel:

  • Denial-of-service or load tests against production
  • Social engineering, phishing, or physical attacks
  • Issues in third-party services we do not operate (for example, Google Workspace, SendGrid, Vercel, Render, or Supabase infrastructure outside our configuration)
  • Missing security headers or TLS settings on third-party default pages we do not control
  • Spam, abuse of support forms, or non-security product feedback (use support@levrg.ai instead)

Safe harbor

If you act in good faith, avoid privacy violations and service disruption, and follow this policy, LEVRG will not pursue legal action against you for authorized research activities. Do not access, modify, or exfiltrate data belonging to other users. Use test accounts you control when possible.

How to report

Email security@levrg.ai with:

  1. A clear description of the issue and affected URL or API path
  2. Steps to reproduce
  3. Impact assessment (what an attacker could do)
  4. Your contact information for follow-up

If you have a proof-of-concept, include it in the report. Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.

What to expect

  • Acknowledgment: We aim to confirm receipt within 5 business days.
  • Updates: We will keep you informed of material progress when you provide a valid contact address.
  • Resolution: Timelines depend on severity and complexity; critical issues affecting customer data or authentication are prioritized.
  • Recognition: We do not operate a public bug-bounty or hall-of-fame program at this time.

Coordination

Please allow us time to fix validated issues before public disclosure. We may ask for additional information or coordinate retesting after a fix is deployed.

For general security and data-handling practices, see our Data security summary. For privacy questions, see the Privacy Policy.