Security & Bug Bounty Program
Report security vulnerabilities and learn about our security practices
Rewards
We have given rewards in the past and will reward valid vulnerability reports. Reward amounts are determined based on the severity and impact of the vulnerability.
Reporting Vulnerabilities
Email [email protected] with:
- Clear description of the vulnerability
- Steps to reproduce
- Screenshots or proof of concept
- Your assessment of the impact
We aim to acknowledge valid reports within 48 hours. Please note that we receive a high volume of inquiries and are unable to respond to questions about the bug bounty program that are already answered on this page.
Responsible Disclosure
We ask that you:
- Give us time to fix issues before public disclosure
- Don’t access other users’ data
- Test against your own accounts when possible
We commit to:
- Acknowledge valid reports within 48 hours
- Provide credit for discoveries (if desired)
- Not pursue legal action for good-faith research
Scope
In Scope
- The Luma web application (luma.com and *.luma.com)
- The Luma mobile applications (iOS and Android)
- The Luma API (api.luma.com)
- Authentication and authorization mechanisms
- Payment processing security
Out of Scope
- Third-party services and integrations
- Social engineering attacks against Luma employees or users
- Denial of service attacks
- Physical security
- Issues that require significant user interaction or unlikely user behavior
- SPF/DMARC configuration issues (not considered valid vulnerabilities)
Security Practices
- Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- PCI DSS compliant payment processing via Stripe
- GDPR compliant data handling
- Regular security testing and code reviews
- 24/7 monitoring and incident response
Learn More
Contact: [email protected]