LMI_

Vulnerability Disclosure Policy

LMI is committed to protecting our customers, our systems, and the information entrusted to us. We welcome reports from security researchers acting in good faith and appreciate responsible disclosure of potential security vulnerabilities.

This policy explains which systems are in scope, how to report a vulnerability, and what you can expect from us throughout the disclosure process.

Authorization (Safe Harbor)

If you make a good-faith effort to comply with this policy during your security research, we will consider your testing authorized, work with you to understand and resolve the issue, and will not pursue or support legal action against you for your research.

This authorization does not extend to activity that:

  • Violates applicable law
  • Falls outside the scope of this policy
  • Results in unnecessary access, copying, or disclosure of sensitive data
  • Disrupts services or impacts customer privacy

Report a Vulnerability

Please submit vulnerability reports to: cybersecurity@lmisolutions.com

Reports may be submitted anonymously. You are not required to provide personally identifiable information, although contact information is helpful if we need to follow up regarding your report.

To help us investigate, please include:

  • Description of the vulnerability
  • Affected URL, system, or component
  • Steps to reproduce the issue
  • Proof of concept or screenshots, if available
  • Your assessment of the potential impact

Information submitted under this policy will be used solely for defensive purposes to investigate and remediate security vulnerabilities.

What You Can Expect

If you provide contact information, we will:

  • Acknowledge receipt within three business days
  • Validate and investigate your report
  • Keep you informed of remediation progress when appropriate

We ask that you provide us a reasonable opportunity to investigate and remediate reported vulnerabilities before making them publicly available.

Scope

In Scope

The following production environment is covered by this policy:

  • IronSled FedRAMP production environment (*.ironsled.onmicrosoft.us)
  • LIGER application
  • Associated API endpoints

Out of Scope

The following are not authorized for testing under this policy:

  • Any LMI system or service not explicitly listed above
  • Third-party services or platforms not operated by LMI
  • Physical security testing
  • Social engineering or phishing
  • Denial-of-service (DoS/DDoS), load, or stress testing
  • Testing inherited cloud infrastructure managed by cloud providers
  • Automated scanner output without demonstrated security impact
  • Theoretical vulnerabilities that cannot be reproduced
  • Vulnerabilities affecting unsupported or end-of-life software

Research Guidelines

When conducting research under this policy, please:

  • Stay within the defined scope
  • Avoid service disruption or degradation
  • Minimize access to data
  • Do not modify, destroy, or exfiltrate information
  • Report findings promptly
  • Keep vulnerability details confidential until remediation is complete

Handling Sensitive Information

If you encounter Controlled Unclassified Information (CUI), personally identifiable information (PII), or other sensitive data while testing:

Questions

Questions about this policy may be directed to: cybersecurity@lmisolutions.com

Last updated: July 2026