Responsible Disclosure Policy

If you believe you have found a security vulnerability in a LEGO® product, please tell us about it.

If you are looking to report a non-security related issue, please use the links below for assistance.

– LEGO® Account. Self-service on https://identity.LEGO.com
– Shop@home, VIP and other problems https://www.LEGO.com/service
– Consumer Service https://www.LEGO.com/service
– Privacy Issues. Contact our privacy officer as described on https://www.LEGO.com/legal/legal-notice/privacy-policy

How to report a security vulnerability to us
If you believe you have found a security vulnerability in one of our web sites or apps, we encourage you to let us know right away. We welcome reports from everyone, including developers, researchers and customers.
To report a security vulnerability, please contact us here and include the following information:

– A URL or an IP address, where you found the issue. When did you find it.
– A description of the issue, including what you saw and what you expected to see.

– A list of steps to reproduce the issue, or a video demonstration if it’s a complicated issue.

How the LEGO Group handles vulnerability disclosure
The LEGO Group will send you an automatic reply to let you know that we received your report, and we’ll contact you if we need more information.

Please note that we do not offer a bug bounty program. This means that the LEGO Group does not pay rewards for disclosed security vulnerabilities.

To protect our customers, we investigate all reported issues, but we do not confirm them publicly.

What we ask of you
• You make a good faith effort to avoid any legal and privacy violations, disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
• You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
• You do not violate any other applicable laws or regulations.