Security
Security disclosure
We welcome responsible reports that help keep Lumenbase and our customers safe.
Report a vulnerability
Email security reports to security@lumenbase.io. Include a concise description, reproduction steps, affected URLs or accounts, and any screenshots or logs that help us validate the issue.
In scope
- Authentication, session, authorization, or tenant-isolation issues.
- Access to another workspace's customer data.
- Stored or reflected cross-site scripting.
- Server-side request forgery, remote code execution, or privilege escalation.
- Credential, token, webhook, or API-key leakage affecting Lumenbase systems.
Out of scope
- Social engineering, phishing, or physical attacks.
- Denial-of-service or load tests without written approval.
- Destructive testing, data exfiltration beyond proof of access, or persistence attempts.
- Automated scanner output without a confirmed exploitable issue.
- Issues in third-party services unless they directly expose Lumenbase customer data.
Safe harbor
If you act in good faith, avoid privacy violations and service disruption, and report findings promptly, we will not pursue legal action for security research that follows this policy. Stop testing and notify us immediately if you encounter customer data or sensitive secrets.
Response expectations
- We aim to acknowledge credible reports within two business days.
- We prioritize issues by customer impact, exploitability, and data exposure risk.
- We will keep reporters updated when a validated issue requires a longer remediation window.
