Cosgn
Security
Effective Date: December 11, 2025
Applies to: All Cosgn brands, Services, platforms, systems, and environments, including Launch In Ten, Lvabl, Cosgn Pay, Cosgn Cloud, Cosgn Hi, Cosgn Credit, RECOSGN, Clloser, and all future Cosgn brands.
Commitment to Security
Cosgn welcomes good faith security research and values contributions that help protect our Members, infrastructure, and products. If you act in good faith and comply with this Policy, Cosgn will not pursue legal action under applicable computer misuse laws, anti-circumvention rules, or the Cosgn Terms for your responsible research activities.
This Safe Harbor operates as described in §11 of the Master Terms and applies to all Cosgn brands and Services.
1. How to Report
If you identify a potential security or privacy vulnerability affecting any Cosgn system, notify us at:
Include the following details for review and validation:
• a clear description of the issue
• reproduction steps or proof of concept
• potential impact or risk
• proposed mitigation, if applicable
Cosgn will:
• acknowledge your report within five business days, and
• provide a progress update within ten business days.
2. Scope of Coverage
The following assets are in scope for testing and disclosure:
• Cosgn-owned domains and subdomains, including cosgn.com, launchinten.com, lvabl.com, adiapp.com, and any future Cosgn domains
• Cosgn APIs and authenticated or unauthenticated public endpoints
• Cosgn Cloud Services, hosting, storage, staging environments, member dashboards, and administrative portals
• Sandbox or testing environments explicitly designated for researcher use
This scope applies collectively across all Cosgn brands as described in §0 (Unified Entity) of the Master Terms.
3. Out of Scope
The following are not permitted under any circumstance:
• testing payment processors or external vendors such as Stripe, PayPal, or Wise
• social engineering of Cosgn staff, contractors, Members, or vendors
• DoS, DDoS, load testing, or any activity that degrades system availability
• physical access testing
• spam or content abuse tests without a technical security component
• automated scanning that produces excessive traffic, alerts, or degradation
• access to or modification of data belonging to other Members or end users
• exploitation of any vulnerability found
Any action that violates §7 (Acceptable Use) or threatens system stability voids Safe Harbor protections.
• creation of automated accounts or bulk account registrations, including scripted or bot-driven signup activity
• impersonation of Cosgn staff, systems, brands, domains, or communication channels for any purpose
Any activity that generates excessive load, bypasses intended rate limits, or interferes with monitoring, logging, or security controls is prohibited regardless of intent.
4. Rules of Engagement
To retain eligibility for Safe Harbor protection, researchers must:
• avoid accessing, modifying, copying, exfiltrating, or using data that does not belong to them
• cease testing immediately if personal, confidential, or Member data is encountered
• limit testing to minimal, non-disruptive methodologies
• use real and verifiable contact information when communicating with Cosgn
• keep vulnerability information confidential until Cosgn confirms remediation or until 90 days after initial report, whichever occurs first
• comply with applicable law and avoid attempts to circumvent technical, administrative, or access controls in ways inconsistent with this Policy or §1.16 (No Circumvention)
Any malicious conduct, data misuse, extortion, or exploitation voids Safe Harbor.
• researchers must not modify, manipulate, or attempt to escalate privileges within their own production accounts in ways that degrade system stability, bypass intended controls, or interfere with production data flows
5. Recognition
Cosgn may publicly acknowledge researchers who follow this Policy and report valid vulnerabilities. Recognition is discretionary.
To qualify, a submission must:
• be new and previously unknown to Cosgn, and
• demonstrate a meaningful security or privacy impact.
Cosgn does not provide monetary rewards at this time.
6. Legal Safe Harbor
When you comply with this Policy in good faith:
• your testing activities are authorized by Cosgn solely for the limited purpose of vulnerability research
• Cosgn will not initiate legal action under the Computer Fraud and Abuse Act, Canadian Criminal Code computer misuse provisions, DMCA, or similar anti-circumvention laws
• Cosgn will treat your testing as falling within §11 (Security Research Safe Harbor) of the Master Terms
Safe Harbor does not apply to:
• actions outside this Policy
• testing that disrupts availability, harms other users, or accesses Member data
• exploitation of vulnerabilities, attempts to extract payment, or attempts to leverage findings for competitive or harmful purposes
• violations of export controls, sanctions restrictions, or prohibited jurisdictions under §15.2
7. Updates
This Policy may be updated periodically.
The current version is always available at:
cosgn.com/security
In case of conflict between this Policy and the Cosgn Master Terms, the Master Terms control.
Quick Summary
Allowed (Good Faith)
• reporting legitimate vulnerabilities
• coordinating private disclosure
• minimal, non-disruptive testing within defined scope
Not Allowed
• exploiting or leaking any data
• public disclosure before remediation or before 90 days
• testing third-party platforms
• DoS, DDoS, or load testing
• accessing other users data
• social engineering