Disclosure policy.
If you have found a vulnerability in any LuMiNx system or project, this is how to reach us — and what to expect after you do.
Reporting
Send a report to security@luminx.one. For sensitive material, encrypt with our PGP key (fingerprint below). Public bug-tracker issues for confirmed vulnerabilities should not be filed before coordinated disclosure.
Please include: the affected product or endpoint, reproduction steps, observed impact, and any logs or traces you can share. A proof-of-concept is appreciated but not required.
Scope
- In scope
- luminx.one and its sub-domains, OrbitID production endpoints, MatrixFlare homeserver instances we operate, and any code published under github.com/luminxtech.
- Out of scope
- Third-party services we link to but do not operate, theoretical attacks without demonstrated impact, denial-of-service via volume, and findings limited to outdated browsers.
Process
We acknowledge receipt within 72 hours, share our initial assessment within 7 days, and aim to ship a fix or mitigation within 90 days for confirmed issues. We coordinate disclosure timing with you and will credit you in the advisory unless you request otherwise.
We do not run a paid bug bounty. We do offer public credit, written letters of reference for security researchers who meaningfully contribute, and will reimburse pre-agreed expenses incurred during a disclosure.
Safe harbour
Research conducted in good faith under this policy is authorised. We will not pursue legal action against you for accessing systems, bypassing controls, or testing our software so long as you act in proportion to the finding, avoid degrading service for others, do not exfiltrate user data beyond what is needed to demonstrate impact, and give us reasonable time to remediate before publication.
Channels
- security@luminx.one
- Encrypted chat
- on request, via Matrix or Signal