Security Policy

Reporting Security Issues

If you discover a security vulnerability in Lumi, please report it responsibly to security@lumi.media.

Do not open public issues or discussions for security vulnerabilities.


Security Contacts


Security.txt

Our vulnerability disclosure policy is published in machine-readable format per securitytxt.org:

Current security.txt fields include:


PGP Public Key

The security.txt files are cryptographically signed using the Lumi PGP public key.

Key Details

Property Value
Key ID 895F9EC9191253F1
Fingerprint 39D378475BF4DBFA93CD69A1895F9EC9191253F1
Algorithm RSA 4096
Created 2026-04-16
UID Lumi Co Pty Ltd security@lumi.media

Verify Signatures

To verify the authenticity of our security.txt files:

# Download public key (to be published separately)
gpg --import lumi-security-pgp-public.asc

# Verify signature on security.txt
gpg --verify security.txt

Expected output:

gpg: Signature made [date] UTC
gpg:                using RSA key 895F9EC9191253F1
gpg: Good signature from "Lumi Co Pty Ltd <security@lumi.media>"

Vulnerability Handling Process

  1. Report received → Acknowledged within 48 hours
  2. Investigation → Severity assessment & reproduction
  3. Fix development → Patch created & tested
  4. Disclosure coordination → Coordinated release timeline
  5. Public advisory → CVE/advisory published after fix is available

We request a reasonable embargo period (typically 30-90 days) to allow time to patch.

Additional Resources


Last Updated

2026-04-16