--- title: "Security & Bug Bounty Program" subtitle: "Report security vulnerabilities and learn about our security practices" slug: "security-bug-bounty" url: "https://help.luma.com/p/security-bug-bounty" tags: ["Security"] --- ## Rewards We have given rewards in the past and will reward valid vulnerability reports. Reward amounts are determined based on the severity and impact of the vulnerability. ## Reporting Vulnerabilities Email [security@luma.com](mailto:security@luma.com) with: 1. Clear description of the vulnerability 2. Steps to reproduce 3. Screenshots or proof of concept 4. Your assessment of the impact We aim to acknowledge valid reports within 48 hours. Please note that we receive a high volume of inquiries and are unable to respond to questions about the bug bounty program that are already answered on this page. ## Responsible Disclosure **We ask that you:** - Give us time to fix issues before public disclosure - Don’t access other users’ data - Test against your own accounts when possible **We commit to:** - Acknowledge valid reports within 48 hours - Provide credit for discoveries (if desired) - Not pursue legal action for good-faith research ## Scope **In Scope** - The Luma web application (luma.com and \*.luma.com) - The Luma mobile applications (iOS and Android) - The Luma API (api.luma.com) - Authentication and authorization mechanisms - Payment processing security **Out of Scope** - Third-party services and integrations - Social engineering attacks against Luma employees or users - Denial of service attacks - Physical security - Issues that require significant user interaction or unlikely user behavior - SPF/DMARC configuration issues (not considered valid vulnerabilities) ## Security Practices - Data encrypted in transit (TLS 1.2+) and at rest (AES-256) - PCI DSS compliant payment processing via Stripe - GDPR compliant data handling - Regular security testing and code reviews - 24/7 monitoring and incident response ## Learn More - [Security Overview](https://luma.com/security) - [Privacy Policy](https://luma.com/privacy) - [Enterprise Security](/p/enterprise-security) **Contact**: [security@luma.com](mailto:security@luma.com)