Last updated: September 13, 2025

Our commitment

Security is core to Lyra. We welcome good-faith reports of vulnerabilities that could affect our users.

Safe harbor

If you comply with this policy and act in good faith, Lyra will not pursue legal action or refer matters to law enforcement for accidental violations. This safe harbor does not apply to actions that are illegal or harmful, including data exfiltration, privacy violations, or service disruption.

In scope

• lyra.so and subdomains owned by Lyra
• Lyra web application and APIs
• Official Lyra desktop and mobile clients

Out of scope

• Third-party services not operated by Lyra, including vendors listed on our Sub-processors page
• Social engineering of Lyra staff or customers
• Physical attacks, denial of service, spam, or brute force testing at scale
• Automated scanning that degrades service
• Findings that require a compromised device or rooted or jailbroken environment without user interaction
• Best-practice or configuration suggestions without a concrete vulnerability

Prohibited activities

Do not access, modify, or exfiltrate data that is not your own. If you encounter user data, stop testing, minimize exposure, and report immediately. Do not disrupt production systems or degrade service.

How to report

Email support@lyra.so with the affected asset, steps to reproduce, impact, and any proof of concept. Include your contact details. If you need encryption, request our PGP key.

Our process

• Acknowledge within 3 business days
• Triage and assign severity within 7 business days
• Provide periodic updates until resolution
• Notify you when remediation is complete

Recognition

Lyra does not offer monetary bounties at this time. With your permission, we may recognize your contribution after remediation.

Coordinated disclosure

Please do not disclose publicly until we have confirmed a fix or agree on a timeline.