Responsible Disclosure Policy

If you believe you have discovered a possible security issue within a LEGO product, service, website, or application, you are encouraged to report it without delay. Maintaining strong security is essential for protecting users, customers, and digital systems, and timely, responsible disclosure plays an important role in minimizing risks. Reports may be submitted by anyone, including independent researchers, developers, partners, or customers who encounter behavior that appears unusual or potentially vulnerable.

This reporting channel is intended specifically for matters related to security. If your concern does not involve a security issue, alternative support options are available. Account-related questions can be addressed through self-service tools, while inquiries about purchases, loyalty programs, or general services should be directed to customer support. Issues related to personal data and privacy are handled through dedicated privacy contact channels. Using the appropriate pathway ensures that each concern is reviewed by the correct team and resolved more efficiently.

When submitting a report about a suspected vulnerability, it is important to include clear and comprehensive details so the issue can be accurately assessed. Reports should focus on digital platforms or services operated by the LEGO Group where a weakness may exist. Prompt reporting after discovery is strongly encouraged, as early awareness helps reduce potential exposure.

Effective reports typically contain specific technical information. This may include the website address or IP location where the issue was identified, along with the approximate date and time of discovery. A detailed explanation of what was observed, why it may represent a security concern, and what the expected behavior should be can greatly assist in the review process. If the issue can be replicated, outlining the exact steps required to reproduce it is especially helpful. Supporting materials such as screenshots or video recordings can also provide valuable context, particularly for more complex situations.

After a report is submitted, an automated acknowledgment is usually sent to confirm receipt. This indicates that the information has entered the evaluation process. If additional clarification or supporting details are needed, the security team may follow up directly. Each report is carefully reviewed to determine its validity and potential impact on systems and users.

Security is treated as a priority, and all reported concerns are investigated with care. However, specific details about identified vulnerabilities or the results of investigations are not publicly disclosed, as this helps reduce potential risks while issues are being assessed and resolved. It is also important to understand that there is no bug bounty or reward program in place, meaning that while reports are appreciated, financial compensation is not offered.

Responsible conduct is a key expectation throughout this process. Individuals who identify potential vulnerabilities should act in good faith and avoid any actions that could harm systems, expose personal data, or disrupt services. Vulnerabilities should not be exploited, and testing should be limited strictly to what is necessary to confirm the issue. Attempts to gain unauthorized access, extract sensitive information, or extend testing beyond the original finding are not permitted.

All relevant laws and regulations must be followed when identifying and reporting security concerns. The purpose of vulnerability disclosure is to strengthen system security and protect users, not to create disruption or risk. By acting responsibly and sharing findings through proper channels, contributors help improve the safety and resilience of the digital environment.

The LEGO Group recognizes and values the contributions of those who help enhance security. Through cooperative and responsible reporting, potential issues can be identified and addressed efficiently, supporting a safer and more reliable experience for users around the world.