If you discover a security vulnerability in Lumi, please report it responsibly to security@lumi.media.
Do not open public issues or discussions for security vulnerabilities.
Our vulnerability disclosure policy is published in machine-readable format per securitytxt.org:
Current security.txt fields include:
Canonical for each app URLPreferred-Languages: enEncryption: https://explore.lumi.media/en/security/lumi-public.ascPolicy: https://explore.lumi.media/en/security/The security.txt files are cryptographically signed using the Lumi PGP public key.
| Property | Value |
|---|---|
| Key ID | 895F9EC9191253F1 |
| Fingerprint | 39D378475BF4DBFA93CD69A1895F9EC9191253F1 |
| Algorithm | RSA 4096 |
| Created | 2026-04-16 |
| UID | Lumi Co Pty Ltd security@lumi.media |
To verify the authenticity of our security.txt files:
# Download public key (to be published separately)
gpg --import lumi-security-pgp-public.asc
# Verify signature on security.txt
gpg --verify security.txt
Expected output:
gpg: Signature made [date] UTC
gpg: using RSA key 895F9EC9191253F1
gpg: Good signature from "Lumi Co Pty Ltd <security@lumi.media>"
We request a reasonable embargo period (typically 30-90 days) to allow time to patch.
2026-04-16