• Products
  • Company
  • Community
  • Help

Compliance and Security

LemFi Vulnerability Disclosure Policy

Last updated: Jun 2, 3:51 PM

Introduction

At LemFi, we are dedicated to improving our security posture. This Vulnerability Disclosure Policy is published by Pomelo Technology US Inc. (registered at 251 Little Falls Drive, Wilmington, DE 19808, USA) and applies to it and its group of companies and subsidiaries (together, "LemFi", "we", "us" or "our"). We appreciate feedback from security researchers and the general public. If you believe you have discovered a vulnerability, privacy issue, exposed data, or any other security issues related to our assets, please reach out to us by following the policy outlined below.

Systems in Scope

This policy applies to the digital assets owned, operated, or maintained by LemFi that are listed below.

In-scope assets:

Out of Scope

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

The following are out of scope and must not be tested under this policy:

  • any system, asset, infrastructure or service not expressly listed in Systems in Scope above;
  • infrastructure, software or services owned, operated or hosted by third parties (including our payment, KYC, banking, cloud and other vendors), even where used to deliver our services;
  • sandbox, staging, test, pre-production and demonstration environments;
  • LemFi corporate IT systems, internal networks, employee accounts, and email or messaging systems;
  • LemFi marketing landing pages, social media accounts and customer-support channels;
  • physical security of any LemFi premises or personnel.

The following classes of issue are out of scope and will not be accepted as valid reports:

  • social engineering, phishing or any pretext attack against LemFi staff, contractors, customers or partners;
  • denial-of-service or volumetric testing, including stress, load and resource-exhaustion testing;
  • findings that require a rooted, jailbroken or otherwise compromised device, or an out-of-date browser or operating system;
  • missing security headers, weak ciphers, certificate-configuration issues and similar best-practice findings without a demonstrated security impact;
  • self-XSS, clickjacking on pages without sensitive actions, and other theoretical issues without a working proof of concept;
  • vulnerabilities in third-party software or libraries unless you can demonstrate exploitable impact on an in-scope LemFi asset.

Our Commitments

When working with us in compliance with this policy, you can expect us to:

  • Respond to your report promptly, and work with you to understand and validate your report;
  • Keep you informed about the progress of a vulnerability as it is processed;
  • Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
  • Extend Safe Harbor for your vulnerability research that is related to this policy.

This policy is supported by our partner, Inspectiv, who will triage valid vulnerabilities. For reports deemed true vulnerabilities, Inspectiv will facilitate a monetary reward to the researcher on our behalf, with the price included within their platform.

Our Expectations

In participating in our vulnerability disclosure program in good faith, we ask that you:

  • Play by the rules, including following this policy and any other relevant agreements. To the extent of any inconsistency between this policy and our Terms of Service or Acceptable Use Policy in respect of authorised security research conducted in accordance with this policy, this policy will prevail;
  • Report any vulnerability you've discovered promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Avoid volumetric testing or testing that could otherwise result in a denial of service;
  • Use only the Official Channels (outlined below) to discuss vulnerability information with us;
  • Provide us a reasonable amount of time (at least 90 days, or such longer period as we may reasonably request in writing where remediation requires more time) from the initial report to resolve the issue before you disclose it publicly, and keep the report and any information obtained during your research strictly confidential until that period has elapsed and the vulnerability has been remediated;
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  • Do not perform testing that violates any applicable laws or regulations or disrupts or compromises any data that is not your own;
  • If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Data (as defined in the UK and EU/EEA, General Data Protection Regulation), credit card data, or proprietary information. You must not retain, copy, store, transfer, disclose, sell or otherwise use any such data for any purpose, and must securely delete or destroy it (and any copies) on the earlier of (a) our written request and (b) confirmation that the vulnerability has been remediated;
  • You should only interact with test accounts you own or with explicit permission from the account holder;
  • Do not engage in extortion; and
  • You are not, and are not acting on behalf of any person who is, (i) located, ordinarily resident or organised in any country or territory that is the subject of comprehensive sanctions administered by the UK, EU, US (OFAC) or UN, or (ii) on any sanctions or restricted-party list maintained by any of those authorities.

Rewards

VDP submissions are not eligible for bounty payment from Inspectiv, please visit https://app.inspectiv.com/ to view our current Bug Bounty Programs.

Official Channels

Please report security issues here: https://client.inspectiv.com/vdp/lemfi/submit-report

Please provide all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.

If you experience any issues submitting your vulnerability on our platform please reach out to programs@inspectiv.com and we will process your submission over email. Please do not reach out to our customers directly, they will direct you back to us.

Safe Harbor

When you are conducting vulnerability research and you have adhered to this policy, we consider this vulnerability research to be:

  • Authorized research for the purposes of applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
  • Authorized research for the purposes of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis;
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Conversely, if you have not complied with this policy we will make that known as well.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties. In particular, this policy does not, and cannot, prevent prosecution by any prosecuting authority under any public-law statute (including, in the United Kingdom, the Computer Misuse Act 1990); our commitment is that LemFi will not itself initiate or support such proceedings against you where you have complied with this policy.

Reservation of rights. Where conduct breaches this policy and also breaches applicable law, we reserve the right to pursue or support legal action and to notify the relevant authorities. Nothing in this policy limits any rights or remedies otherwise available to us.

Governing law. This policy and any non-contractual obligations arising out of or in connection with it are governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction to settle any dispute arising out of or in connection with this policy.

map with popular buildings and transportation

Control your financial life with LemFi

Products

Company

Community

Resources

The LemFi Card account is provided by RightCard Payment Services Limited, also part of the LemFi Group, registered with the Financial Conduct Authority as an Electronic Money Institution (FCA Reference 900424). Registered Office: Jellicoe, 5 Beaconsfield St, London, England, N1C 4EW.

Pomelo Remits Europe Ltd., is a partner of Modulr Finance B.V., a company registered in the Netherlands with company number 81852401, which is authorised and regulated by the Dutch Central Bank (DNB) as an Electronic Money Institution (Firm Reference Number: R182870) for the issuance of electronic money and payment services. Your account and related payment services are provided by Modulr Finance B.V. Your funds will be held in one or more segregated accounts and safeguarded in line with the Financial Supervision Act. For more information, please see this link.

Pomelo Remits Europe Ltd, is part of the LemFi Group which also provides other regulatory services. These are separate and unrelated to the account and payment services you receive from Modulr Finance B.V.

© 2026 LemFi. All rights reserved.