Lyric Vulnerability Disclosure Program Policy

Overview 

At Lyric we prioritize the security and privacy of our users, products, and services. We are committed to maintaining the highest standards of cybersecurity and welcome contributions from the security research community. This Vulnerability Disclosure Program (the “Program”) establishes a framework for the responsible reporting of security vulnerabilities to enable Lyric to assess, address, and mitigate potential risks. 

Reporting Channel 

Lyric accepts vulnerability reports only through Bugcrowd.  Please see the Bugcrowd submission form available on this page. Please submit all findings through this form to support structured intake, validation, and triage.   All submissions will be subject to the Bugcrowd Standard Disclosure Terms and any other applicable terms and conditions associated with the Lyric Bugcrowd program.  

If the embedded form is unavailable, researchers can share their finding details at lyric-vdp-ess@submit.bugcrowd.com.  Please note that Lyric does not accept research submissions through any other means.  

Researchers can expect an initial acknowledgement within five business days of submission, provided the report includes sufficient information for intake and triage. 

Scope 

This Program applies to Lyric-owned web applications, and services or products that are explicitly designated as In-Scope for this program.  Please review Lyric’s Bugcrowd program page for more information about the scope of the Program. 

In-Scope Assets 

Only Lyric-owned or expressly authorized non-production targets are in scope for this program. 

Targets with fully qualified domain names (FQDNs) containing identifiers such as qa, test, demo, dev, uat or sandbox are considered in scope unless otherwise stated. 

Examples of in-scope targets include: 

  • assure42.qa.lyric.ai 

  • assure42.stg.lyric.ai 

  • c342-ui.qa.lyric.ai 

  • studio.qa.lyric.ai 

  • tpp-ui.qa.lyric.ai 

  • c342-ui.dev.lyric.ai 

  • studio.dev.lyric.ai 

  • tpp-ui.dev.lyric.ai  

  • contentcert.claimsxten.com 

  • cxtdemo8.claimsxten.com/TPPUI/Default.aspx 

  • cxtdemo7.claimsxten.com/TPPUI/Default.aspx 

Out-of-Scope Assets 

Production systems are out of scope. 

  • Any Prod subdomain in lyric.ai 

  • Any Prod subdomain in claimsxten.com 

Any targets lacking non-production identifiers (e.g., qa, test, dev, demo, uat, staging, sandbox) in the FQDN should be assumed to be production and thus outside scope. 

If there is any ambiguity, the target must be treated as production and therefore out of scope unless explicitly confirmed otherwise by the program owner. 

Out-of-Scope Activities 

The following activities are prohibited and ineligible for the Program: 

  • Testing against production systems or environments 

  • DoS/DDoS attacks 

  • Social engineering, including phishing, vishing, or impersonation attempts 

  • Physical attacks 

  • Automated or scripted testing against customer-facing forms, submission forms, or similar interfaces 

  • Brute-force testing or any similar high-volume or disruptive activity against Lyric assets under this program Rate-limiting attacks 

  • Use of malware, ransomware or exploitation of vulnerabilities found 

  • Data exfiltration, modification, corruption, or destruction 

  • Any activity that degrades system performance or negatively affects user experience 

The following submission types will not be accepted under the Program unless they demonstrate clear, real-world security impact or are part of a chained exploit: 

  • Reports that consist solely of generic automated scan output without supporting proof of concept or evidence of impact  

  • P5 vulnerabilities unless they are part of a chained exploit demonstrating meaningful impact  

  • SSL/TLS best-practice issues without demonstrable security impact  

  • Missing or weak Content Security Policy (CSP) without exploitable impact  

  • Lack of Secure or HttpOnly cookie flags on non-sensitive cookies without associated exploitability 

  • Absence of Security Headers 

Reporting Requirements 

To support timely validation and remediation, reports should include the following information: 

  • A clear description of the vulnerability  

  • Steps to reproduce the issue  

  • The affected asset, endpoint, or target  

  • The potential impact of the vulnerability  

  • Proof-of-concept details  

  • Relevant HTTP requests and responses, where applicable  

  • HTML, screenshots, logs, or other supporting evidence  

  • Recommended remediation, where available

Incomplete reports may delay review, validation, or remediation. 

Credential Restrictions 

Any form of testing using credentials, whether owned, shared, obtained, or otherwise accessible, is strictly prohibited. 

Researchers must not attempt to access authenticated functionality, user accounts, customer environments, or restricted administrative interfaces. 

If you believe you have found Lyric employee or customer credentials please report them, but DO NOT attempt to validate them. 

Researcher Expectations 

Researchers participating in this Program are expected to act in good faith and conduct testing in a responsible manner.  As further described in the Bugcrowd terms and conditions, Researchers must: 

  • Test only in-scope, non-production targets  

  • Avoid violating privacy or disrupting services  

  • Avoid degrading user experience  

  • Avoid accessing, modifying, deleting, or exposing data  

  • Stop testing immediately if sensitive information is encountered  

  • Limit testing to what is necessary to confirm the existence of a vulnerability  

  • Refrain from public disclosure.  

  • Avoid any use of automated or scripted methods against customer-facing forms (Contact Us), submission forms, or similar interfaces. 

Legal Safe Harbor 

We believe in a safe harbor for security researchers who discover and report vulnerabilities responsibly. If you adhere to this policy in good faith and comply with all applicable Bugcrowd terms and conditions we will consider your research to be: 

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) and/or similar state laws and we will not initiate or support legal action against you under these laws for accidental, good faith violations of this policy. 

  • Exempt from the Digital Millenium Copyright Act (DMCA) and not bring a claim against you for circumvention of technology controls; 

  • Exempt from restrictions in our Terms of Use that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy. 

Disclosure Policy

  • Researchers must not publicly disclose any vulnerability identified through this Program.   

Rewards 

While there are no monetary payments for findings submitted through this program, Lyric highly values the contribution of the security research community in helping improve the security of its systems and services. 

Legal 

Participation in this Program constitutes acceptance of this policy and of all applicable Bugcrowd terms and conditions. 

Lyric reserves the right to update, modify, or terminate this Program and its terms at any time. The most current version of this policy will be made available on the applicable Lyric page. 

Thank you for helping us keep Lyric secure.