Security & Bug Bounty Program
Report security vulnerabilities and learn about our security practices
Reporting Vulnerabilities
Email [email protected] with:
- Clear description of the vulnerability
- Steps to reproduce
- Screenshots or proof of concept
- Your assessment of the impact
We'll review and respond to valid security issues promptly.
Responsible Disclosure
We ask that you:
- Give us time to fix issues before public disclosure
- Don't access other users' data
- Test against your own accounts when possible
We commit to:
- Respond quickly to valid reports
- Provide credit for discoveries (if desired)
- Not pursue legal action for good-faith research
Scope
In Scope
- The Luma web application (luma.com and *.luma.com)
- The Luma mobile applications (iOS and Android)
- The Luma API (api.luma.com)
- Authentication and authorization mechanisms
- Payment processing security
Out of Scope
- Third-party services and integrations
- Social engineering attacks against Luma employees or users
- Denial of service attacks
- Physical security
- Issues that require significant user interaction or unlikely user behavior
- SPF/DMARC configuration issues (not considered valid vulnerabilities)
Security Practices
- Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- PCI DSS compliant payment processing via Stripe
- GDPR compliant data handling
- Regular security testing and code reviews
- 24/7 monitoring and incident response
Learn More
Contact: [email protected]