Disclosure policy.
If you have found a vulnerability in any LuMiNx system or project, this is how to reach us — and what to expect after you do.
Reporting
Send a report to security@luminx.one. We do not have a published PGP key yet — if you need an encrypted channel, say so in a short first email and we will arrange one. Please do not file public bug-tracker issues for confirmed vulnerabilities before coordinated disclosure.
Please include: the affected product or endpoint, reproduction steps, observed impact, and any logs or traces you can share. A proof-of-concept is appreciated but not required.
Scope
- In scope
- luminx.one and its sub-domains, and any LuMiNx-operated production service — including OrbitID and MatrixFlare instances we run.
- Out of scope
- Third-party services we link to but do not operate, theoretical attacks without demonstrated impact, denial-of-service via volume, and findings limited to outdated browsers.
Process
We aim to acknowledge reports promptly and to keep you updated as we investigate. We coordinate disclosure timing with you and will credit you in the advisory unless you ask us not to.
We do not run a paid bug bounty. We are glad to publicly credit researchers who report in good faith, unless you would prefer to stay anonymous.
Safe harbour
Research conducted in good faith under this policy is authorised. We will not pursue legal action against you for accessing systems, bypassing controls, or testing our software so long as you act in proportion to the finding, avoid degrading service for others, do not exfiltrate user data beyond what is needed to demonstrate impact, and give us reasonable time to remediate before publication.
Channels
- security@luminx.one
- PGP
- Not available yet
- Encrypted chat
- Available on request