Skip to content
LumixSys
Security · Responsible disclosure

The security of a security company should be public — and accountable.

LumixSys runs SpectraShield on itself. Every internal control is evidenced, every primitive is documented, and every researcher who finds a vulnerability gets a fast, fair, paid response.

Report a vulnerabilityTrust Center
How we secure LumixSys

The same controls we ship to customers.

Hybrid Kyber-1024 mTLS

Every internal hop runs hybrid post-quantum TLS. No exceptions.

Per-workload identity

SPIFFE IDs anchored in TPM 2.0 / SEV-SNP / TDX attestation.

Continuous attestation

Signed, immutable evidence streamed every minute to WORM storage.

Zero standing access

All access is just-in-time, approval-gated, time-limited.

External pen tests

Trail of Bits + NCC Group on a rotating quarterly cycle.

Bug bounty

Public program with safe-harbor language and 24/7 triage.

Responsible disclosure

If you found something, we want to hear from you.

We publish a safe-harbor policy because security research should not require legal courage. We pay competitively and reply fast.

Safe harbor

We will not pursue legal action against researchers who act in good faith and follow the rules below. We will not file complaints with employers or universities. We will recognize you publicly if you wish.

Scope

  • *.lumixsys.com (production)
  • SpectraShield platform endpoints (auth.lumixsys.com, api.lumixsys.com)
  • Public mobile and desktop clients
  • Customer Slack bot and Lumix CLI

Out of scope

  • Denial-of-service or volumetric attacks
  • Social engineering of LumixSys employees, customers, or vendors
  • Physical attacks on LumixSys offices or data centers
  • Issues affecting outdated browsers (>2 versions behind)
Reward structure (USD)
  • Critical$25,000–$50,000

    RCE on production, customer-data exfiltration, cryptographic compromise.

  • High$8,000–$25,000

    Auth bypass, privilege escalation, IDOR with broad reach.

  • Medium$1,500–$8,000

    Limited IDOR, stored XSS in privileged contexts, SSRF without broad reach.

  • Low$300–$1,500

    Reflected XSS, CSRF with non-trivial impact, low-impact information disclosure.

How to report
  1. Email security@lumixsys.com with technical details and reproduction steps.
  2. Use PGP if you'd like — our key is at lumixsys.com/.well-known/security-pgp.txt.
  3. We triage every report within 24 hours and pay within 14 days of validation.
Hall of fame

Researchers who have helped us are recognized at lumixsys.com/security/hall-of-fame (with your permission).

security.txt

The basics, in the standard format.

Contact: mailto:security@lumixsys.com
Contact: https://lumixsys.com/security
Expires: 2027-05-01T00:00:00.000Z
Encryption: https://lumixsys.com/.well-known/security-pgp.txt
Acknowledgments: https://lumixsys.com/security#hall-of-fame
Policy: https://lumixsys.com/security#disclosure
Preferred-Languages: en, es, ja
Hiring: https://lumixsys.com/careers