| Version | Supported |
|---|---|
| 1.x | ✅ |
Do not open a public GitHub issue for security vulnerabilities.
Please report security issues by emailing security@lumenflow.dev with:
- A description of the vulnerability and its potential impact.
- Steps to reproduce or a proof-of-concept.
- Any suggested mitigations.
- Your contact information and disclosure preferences.
- For encrypted reports, use OpenPGP. Request our public key or fingerprint by emailing security@lumenflow.dev before submitting sensitive information.
- If you cannot use PGP, contact us and we will provide an alternative secure channel.
We will acknowledge receipt of valid reports within 48 hours.
Severity response SLAs:
| Severity | Acknowledgement | Fix / Mitigation Plan | Public Disclosure |
|---|---|---|---|
| Critical | 48 hours | 7 days | Within 30 days after fix |
| High | 48 hours | 14 days | Within 45 days after fix |
| Medium | 48 hours | 30 days | Within 60 days after fix |
| Low | 48 hours | 60 days | Within 90 days after fix |
We will provide status updates at least every 7 days until the issue is resolved.
To facilitate triage and investigation, please structure your security report as:
Title: [Concise vulnerability title]
Severity: Critical | High | Medium | Low
Affected Component: [Contract function, SDK method, or deployment process]
Description: [Technical description and impact]
Proof of Concept: [Steps to reproduce]
Recommended Fix: [Suggested mitigation or patch]
In-scope:
- Smart contract logic vulnerabilities (reentrancy, overflow, auth bypass)
- Signature verification weaknesses
- Storage manipulation or data corruption
- Denial-of-service vectors in contract execution
- SDK cryptographic or data handling issues
Out-of-scope:
- Issues in third-party dependencies (report upstream)
- Theoretical attacks without a practical exploit path
-
Immediate Action (0-2 hours)
- Acknowledge receipt to reporter
- Convene security team
- Begin development of fix or mitigation
-
Assessment (2-12 hours)
- Confirm exploit path
- Identify blast radius (which contracts/deployments affected)
- Assess production impact
-
Response (12-72 hours)
- Release patched contract code
- Coordinate with deployment team
- Publish security advisory (after fix deployed)
-
Assessment (24 hours)
- Confirm issue and determine scope
- Develop fix or mitigation
-
Resolution (3-7 days)
- Release fix
- Publish advisory
- Follow standard issue/PR process
- Include fix in next planned release
- Contract Events: Monitor
suspicious_activityevents emitted when payment thresholds are exceeded. - Deployment Status: Track contract version and admin changes via
admin_setevents. - Automated Alerts: Set up webhook integrations on security@lumenflow.dev for critical contract events.
- Tier 1: Security team receives report
- Tier 2: Project maintainers convened for critical issues
- Tier 3: Executive/legal review for disclosure decisions
Contact the security team at security@lumenflow.dev or via SUPPORT.md for additional questions.
We follow coordinated disclosure. Once a fix is released, we will publish a security advisory crediting the reporter (unless anonymity is requested).
We maintain a bug bounty program for eligible reports. Rewards are offered at our discretion based on severity, impact, and quality of the submission. To participate, submit a valid report to security@lumenflow.dev and include details sufficient to reproduce the issue.
With the reporter's consent, we will credit acknowledged disclosures in published security advisories and maintain a Hall of Fame for recognized contributors.