Coordinated Disclosure Policy

Security is at the core of Lumos, and Lumos firmly believes in the power of working with security researchers to uncover weaknesses in our systems. Please reach out to us if you believe you’ve found a vulnerability in a Lumos service; we will work with you to resolve the issue promptly.

Disclosure Policy

If you think you’ve found a potential vulnerability, please send us an email at disclosure@lumos.com. We will acknowledge your email within five business days.

Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one month of disclosure.

Act in good faith. Avoid violating privacy, destroying data, or interrupting or degrading Lumos services.

Focus Areas

Authentication bypass or elevation of privileges

Sensitive data exposure

“Root” access to underlying servers

Multitenancy exploits

Exclusions

Please refrain from:

Denial of Service (DoS)

Spamming

Social engineering or phishing of Lumos employees

Thank you for respecting our exclusions.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy.

Contact

We want to hear from you! We can be reached at disclosure@lumos.com. Our PGP key is available here.

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://www.lumos.com/disclosure.

Responsibility

It is the Lumos Security team’s responsibility to enforce this policy.