Skip to Content

Security at Lillio

Security is core to what we do at Lillio, and we operate our program with the utmost care for our customer’s private data.  Our commitment is to operate a best-in-class security program, raising the bar to incorporate cutting edge best-practices before they become industry norms.

Some examples of how we operate our security program include:

  • Continuous vulnerability scanning and patching of our infrastructure

  • Hardening of our virtualized cloud infrastructure and codebase

  • Penetration tests conducted by external vendors

  • Regular internally conducted testing and application security assessments

  • Segmentation and isolation of customer data within our infrastructure

  • Threat-informed risk analysis

  • Adhering to recognized industry infosecurity and data security standards such as OWASP ASVS (The OWASP Application Security Verification Standard) and PCI DSS (Payment Card Industry Data Security Standard)

Shared Responsibility

Like many cloud SaaS providers, Lillio approaches security through a shared responsibility model.

Our responsibility at Lillio is to secure our infrastructure product and codebase. We work hard to ensure that the personal information, photos, information you entrust to our services are protected.

Customers are responsible for securing their accounts by ensuring they don't share account credentials and follow our general password and security guidelines laid out here.

Contact Lillio’s Security Team

If you have any questions for our security and compliance team at Lillio you can reach us by email at:

Reporting a Vulnerability

If you believe you have found a security issue with any of Lillio’s products, we would love to receive your report! Security findings can be emailed to

Lillio does not operate a formal bug bounty program at this time - and does not offer monetary rewards for vulnerability reports, but researchers reporting vulnerabilities may be acknowledged below.

When reporting a security issue, describe the issue in detail and include steps to reproduce, including any relevant tools and tool output. Please do not send attachments with your report, although if required, TXT files and screenshots in PNG or JPG format are permitted. The more detail provided, the more likely we will be able to reproduce the issue and determine a course of action.

Please note that any security related issues included in the list below should be considered eligible for reporting:

  • Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF)

  • Authentication or Authorization Flaws

  • Server-Side Request Forgery (SSRF) or Server-Side Template Injection (SSTI)

  • SQL injection (SQLI) or other similar attacks

  • Remote Code Execution (RCE) including via Javascript execution

  • HTTPS configuration (supported TLS versions, cipher suites, etc.)

  • Clickjacking / UI redress

  • DNS configuration (SPF, DKIM, DMARC, CAA)

  • Denial of Service or other attacks that repeatedly spam requests toward our services or would affect the availability of our service

Out of scope

Please do not report security findings from the following categories:

  • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves susceptible.

  • Any physical attempts against our property or data centers.

  • UI and UX bugs and spelling mistakes

Lillio’s Vulnerability Disclosure Policy

Where applicable, Lillio will coordinate the public disclosure of validated vulnerabilities within our software. We request that potential vulnerabilities not be disclosed in a public setting until our team has had time to review and respond to the submission, provide a suitable fix to mitigate risk, and reach out to potentially impacted customers. 

We prefer that any public disclosure be made simultaneously. The timeline to address a vulnerability depends on the severity of the risk and the potential impact but we work very hard to ensure that we respond as soon as possible.

To determine the severity of a vulnerability we take into account the exploitability of the flaw when evaluating risk as well as potential risk to our customer data, including data on children registered in the system. Where possible, we also try to ensure that we communicate with the reporter on the status of the vulnerability once we’re close to a resolution.


Lillio feels that it is important to recognize reporters who follow our reporting guidelines for their contributions to ensure our data is safe and protected. If you report a vulnerability, please let us know if you would like to be recognized on this page. 

We can recognize you with your preferred name or Github Username based on your preference.

Woah! You just read a lot!