Reporting a vulnerability
If you believe you have found a security issue affecting LumeSec, please contact us at security@lumesec.ai. Encrypted reports are preferred — the public PGP key is published on our contact page.
We acknowledge reports within two business days and aim to provide a substantive status update within ten business days.
In scope
lumesec.aiand all subdomains operated by LumeSec- The LumeSec AI Operating Platform (AIOP) and any product surface we ship
- Source code published by LumeSec
Out of scope
- Third-party services we link to but do not operate
- Findings that require physical access to a user's device or social engineering of LumeSec staff
- Reports generated solely by automated scanners without demonstrated impact
Good-faith research
We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, data loss, or service disruption
- Do not exfiltrate or retain user data beyond what is necessary to demonstrate the issue
- Give us reasonable time to remediate before public disclosure
- Do not perform denial-of-service testing, send spam, or attempt to access accounts other than your own
Disclosure
We coordinate disclosure with the reporter. Default window is 90 days from acknowledgement, extended where complexity warrants. We credit reporters in advisories on request.
Contact
- Email: security@lumesec.ai
- PGP key: /contact
- Machine-readable: /.well-known/security.txt (RFC 9116)