Vulnerability Disclosure Policy

Effective: 16 May 2026 · Version 1.0

PanLuma welcomes reports from external security researchers. This page explains how to report a vulnerability safely, what is in scope, what is not, and what you can expect from us in return.

1. How to Report

Send a report to security@panluma.ai. The mailbox is monitored on business days; for time-sensitive issues, please also include the word URGENT in the subject line.

Please include in your report:

  • A clear description of the issue and its potential impact.
  • Steps to reproduce, including any required configuration, accounts, or test data.
  • The URLs, endpoints, or components affected.
  • Any proof-of-concept (script, screenshot, video). Please do not include actual customer data.
  • Your name or handle, and how you would like to be credited (or whether you prefer to remain anonymous).

2. Safe Harbor

PanLuma will not pursue legal action against, support law enforcement investigation of, or terminate the accounts of researchers who, in good faith and consistent with this policy:

  • Make a sincere effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Only interact with accounts they own or have explicit permission from the account holder to test.
  • Do not exfiltrate customer data beyond the minimum needed to prove the issue.
  • Do not publicly disclose the issue before we have had a reasonable opportunity to remediate (see §5).

Activities outside the scope of this policy, or in violation of its conditions, are not covered by this safe-harbor commitment.

3. Scope

In scope:

  • Applications: app.panluma.ai (the PanLuma web application), www.panluma.ai (marketing site), the PanLuma desktop builds, the PanLuma iOS and Android apps.
  • APIs: app.panluma.ai/api/v1/*, all MCP endpoints under /mcp/*.
  • Authentication and authorization: JWT handling, OAuth flows (Google, Microsoft), API key auth, RBAC, tenant isolation, RLS.
  • Infrastructure surface exposed to the internet: CloudFront distributions, WAF, ALB.

Out of scope:

  • Any third-party service we depend on (AWS, Anthropic, Google, Microsoft, PostHog, etc.). Report those directly to the vendor.
  • Issues that require physical access to a user’s device, social-engineering attacks against PanLuma personnel, or attacks against PanLuma’s office network.
  • Denial-of-service attacks, traffic-based attacks, brute-force or rate-limit testing at any scale that would impact availability for other users.
  • Findings that depend on out-of-date or unsupported browsers, operating systems, or libraries.
  • Findings that require an attacker to already control a user’s account or device (e.g., self-XSS via paste, missing autocomplete attributes).
  • Disclosure of public information (e.g., software versions, the presence of a robots.txt).
  • Vulnerabilities only present in pre-release branches that have not been deployed to production.

4. Things You Must Not Do

  • Access, modify, or delete customer data that is not your own without explicit permission.
  • Run automated scans that send more than a few requests per second.
  • Test against the platform with payment-related transactions, denial-of-service, or social engineering.
  • Publicly disclose the issue before the coordinated disclosure window in §5.

5. Response Targets and Coordinated Disclosure

StageTarget
Acknowledge receipt of report2 business days
Initial triage and severity assignment5 business days
Status update if remediation is ongoingEvery 14 days
Remediation (target, severity-dependent)Critical: 24 hours · High: 7 days · Medium: 30 days · Low: 90 days
Coordinated public disclosure window90 days from initial report, or sooner with researcher’s agreement

If we are unable to remediate within 90 days, we will communicate the reason and a revised timeline before the disclosure window expires.

6. Recognition

PanLuma does not currently operate a paid bug-bounty programme. We will:

  • Acknowledge valid, in-scope reports publicly on our Hall of Fame page (with researcher consent).
  • Provide a written acknowledgement letter on request.

A formal bug-bounty programme is on our roadmap; this policy will be updated when it is launched.

7. Reporting Vulnerabilities in Third Parties

If you discover a vulnerability that affects a service PanLuma depends on (for example, an unpatched dependency or a misconfiguration in a sub-processor), please still report it to us. We will work with the upstream vendor and credit you for the coordination effort, even though the underlying fix is not in our code.

8. Contact

  • Email: security@panluma.ai
  • Web: https://www.panluma.ai/.well-known/security.txt
  • Mailing address: provided on request to verified researchers.