LMI_
LMI is committed to protecting our customers, our systems, and the information entrusted to us. We welcome reports from security researchers acting in good faith and appreciate responsible disclosure of potential security vulnerabilities.
This policy explains which systems are in scope, how to report a vulnerability, and what you can expect from us throughout the disclosure process.
Authorization (Safe Harbor)
If you make a good-faith effort to comply with this policy during your security research, we will consider your testing authorized, work with you to understand and resolve the issue, and will not pursue or support legal action against you for your research.
This authorization does not extend to activity that:
- Violates applicable law
- Falls outside the scope of this policy
- Results in unnecessary access, copying, or disclosure of sensitive data
- Disrupts services or impacts customer privacy
Report a Vulnerability
Please submit vulnerability reports to: cybersecurity@lmisolutions.com
Reports may be submitted anonymously. You are not required to provide personally identifiable information, although contact information is helpful if we need to follow up regarding your report.
To help us investigate, please include:
- Description of the vulnerability
- Affected URL, system, or component
- Steps to reproduce the issue
- Proof of concept or screenshots, if available
- Your assessment of the potential impact
Information submitted under this policy will be used solely for defensive purposes to investigate and remediate security vulnerabilities.
What You Can Expect
If you provide contact information, we will:
- Acknowledge receipt within three business days
- Validate and investigate your report
- Keep you informed of remediation progress when appropriate
We ask that you provide us a reasonable opportunity to investigate and remediate reported vulnerabilities before making them publicly available.
Scope
In Scope
The following production environment is covered by this policy:
- IronSled FedRAMP production environment (
*.ironsled.onmicrosoft.us) - LIGER application
- Associated API endpoints
Out of Scope
The following are not authorized for testing under this policy:
- Any LMI system or service not explicitly listed above
- Third-party services or platforms not operated by LMI
- Physical security testing
- Social engineering or phishing
- Denial-of-service (DoS/DDoS), load, or stress testing
- Testing inherited cloud infrastructure managed by cloud providers
- Automated scanner output without demonstrated security impact
- Theoretical vulnerabilities that cannot be reproduced
- Vulnerabilities affecting unsupported or end-of-life software
Research Guidelines
When conducting research under this policy, please:
- Stay within the defined scope
- Avoid service disruption or degradation
- Minimize access to data
- Do not modify, destroy, or exfiltrate information
- Report findings promptly
- Keep vulnerability details confidential until remediation is complete
Handling Sensitive Information
If you encounter Controlled Unclassified Information (CUI), personally identifiable information (PII), or other sensitive data while testing:
- Stop testing immediately
- Do not access, retain, copy, or disclose the data
- Notify us promptly at cybersecurity@lmisolutions.com
Questions
Questions about this policy may be directed to: cybersecurity@lmisolutions.com
Last updated: July 2026