LightBox Parent, L.P.

Vulnerability Disclosure Policy

Rev 5-9-2025

Introduction

LightBox Parent, L.P. (“LightBox”, “we”, “our”, or “us”) welcomes feedback from security researchers and members of the public to help improve our security posture. If you believe you have discovered a vulnerability, privacy issue, data exposure, or other security concern involving any LightBox digital asset, please report it to us promptly and responsibly.

This policy outlines the systems in scope, the expectations we have for researchers, the legal protections we extend, and the steps for submitting reports.

Systems in Scope

This policy applies to digital assets owned, operated, or maintained by LightBox Parent, L.P., including but not limited to publicly accessible websites, APIs, and applications under the lightboxre.com domain.

Out of Scope

The following are considered out-of-scope:

  • Third-party services, infrastructure, and assets not owned or operated by LightBox;
  • Social engineering (e.g., phishing);
  • Physical attacks against LightBox facilities, employees, or property;
  • Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks;
  • Spam, brute force attacks, or automated scanning that disrupts or degrades our services.

Reports relating to out-of-scope systems should be directed to the responsible third party or vendor.

Our Commitments

If you report a vulnerability in good faith and comply with this policy:

  • We will respond promptly and acknowledge your report;
  • We will work with you to validate and triage the issue;
  • We will make commercially reasonable efforts to remediate validated vulnerabilities in a timely manner;
  • We will extend Safe Harbor protections as outlined below.

Our Expectations

We require that you:

  • Follow this policy and applicable laws at all times;
  • Use only the Official Channels listed below to report vulnerabilities;
  • Refrain from publicly disclosing or sharing vulnerability information without prior written consent from LightBox;
  • Do not access, modify, or delete any data other than your own;
  • Do not take any actions that could degrade, damage, or impair our services or infrastructure;
  • Immediately cease testing and report the issue if you encounter data such as Personally Identifiable   Information (PII), Personal Health Information (PHI), payment card data, proprietary information, or  other sensitive content;
  • Test only against assets explicitly listed as in-scope;
  • Do not engage in extortion, ransom requests, or threats of public disclosure.

Official Channels

To report a security issue, please contact us via email at: vulnerabilitydisclosure@lightboxre.com

Include as much detail as possible to help us triage and verify the issue, including URLs, request/response payloads, and reproduction steps.

Safe Harbor

When conducting security research in accordance with this policy:

  • We consider your research to be authorized under the Computer Fraud and Abuse Act (CFAA) and similar anti-hacking laws, and will not initiate legal action against you for good-faith, non-destructive testing;
  • We will not pursue claims under the Digital Millennium Copyright Act (DMCA) for lawful circumvention performed in accordance with this policy;
  • You are granted a limited waiver from our Terms of Use and Acceptable Use Policy solely for the purpose of research under this policy;
  • If legal action is initiated by a third party, we will take reasonable steps to make it known that your actions were consistent with this policy;

If you have any doubts, ask before acting. Contact us for clarification before proceeding.

Note: Safe Harbor applies only to actions within the scope of this policy and does not extend to any actions that violate applicable laws or the rights of third parties.

Exclusion of Liability

LightBox makes no representations or warranties regarding its systems and assumes no liability for any damages arising from your participation in this program. You assume full responsibility for your activities, including any unauthorized access or damage.

No Compensation

While we sincerely appreciate the efforts of researchers who help enhance the security of our systems, we do not offer financial rewards or other compensation for disclosures made under this policy. Participation is voluntary and submitted reports are provided without expectation of compensation.

License Grant

By submitting a vulnerability or any associated materials to LightBox, you grant us a perpetual, irrevocable, royalty-free, worldwide license to use, reproduce, adapt, distribute, and incorporate such materials into our products and services without restriction.

Right to Modify or Terminate

We reserve the right to modify, suspend, or terminate this policy at any time, for any reason, without notice. You are responsible for reviewing the latest version of this policy prior to conducting research.

Governing Law

This policy shall be governed by and construed under the laws of the State of New York, without regard to conflict of law principles. Any disputes arising under or related to this policy shall be resolved in the state or federal courts located in New York County, New York.

No Waiver

Failure by LightBox to enforce any provision of this policy shall not be deemed a waiver of our rights under this policy or applicable law.

Severability

If any provision of this policy is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.