Security

We take the security of LumenLingo and your data seriously. If you discover a vulnerability, we want to hear about it.

Reporting a Vulnerability

If you believe you have found a security vulnerability in LumenLingo, please report it responsibly by emailing .

Please include as much detail as possible: a description of the vulnerability, steps to reproduce, the potential impact, and any proof-of-concept code or screenshots.

We also publish a machine-readable security.txt file per RFC 9116.

Scope

In Scope

  • The LumenLingo website (lumenlingo.com) and all subdomains
  • API endpoints under lumenlingo.com/api/*
  • The LumenLingo iOS application
  • Authentication and authorisation flaws
  • Cross-site scripting (XSS), injection, and CSRF vulnerabilities
  • Server-side request forgery (SSRF)
  • Sensitive data exposure

Out of Scope

  • Social engineering (phishing, vishing) against Lumenshore employees
  • Denial-of-service (DoS/DDoS) attacks
  • Physical attacks against Lumenshore offices or infrastructure
  • Vulnerabilities in third-party services (Apple, Vercel, Sentry) — report these to the respective vendor
  • Automated scanning without prior approval
  • Spam, SEO manipulation, or content injection that does not affect security

Our Response

We commit to the following response timeline:

  • Acknowledgement — within 48 hours of your report
  • Initial assessment — within 5 business days
  • Resolution target — within 30 days for critical issues, 90 days for non-critical
  • Notification — we will let you know when the issue is resolved

We will keep you informed of our progress and may ask for additional information to help reproduce or resolve the issue.

Safe Harbour

We will not pursue legal action against security researchers who:

  • Act in good faith and follow this disclosure policy
  • Avoid accessing or modifying other users' data
  • Do not degrade the service (no DoS, no destructive testing)
  • Report vulnerabilities promptly and do not disclose them publicly until we have had a reasonable opportunity to address them

If you follow these guidelines, we consider your research to be authorised and will not pursue civil or criminal action related to your findings.

Contact

For security reports:

For general support:

Preferred language: English