Responsible Disclosure

​

Our Commitment

​

How to Report a Vulnerability

​

Reporting Process

• Please send a detailed report to our dedicated security disclosure email: [email protected].
• Include a clear description of the vulnerability, the affected systems or products, and step-by-step instructions to reproduce the issue.
• We recommend avoiding attachments and including most of the information directly in your email.
• For proof-of-concept demonstrations, recorded videos can be shared as private links from trusted platforms like YouTube or Vimeo.

​

In-scope

• app.lunacal.ai/*
• lunacal.ai/*

​

Report Eligibility

• Be the first to report a vulnerability.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• If multiple vulnerabilities reported from the same root cause, they will be considered a single issue, and only the first valid report will qualify for the Hall of Fame, If the root cause is the same and endpoints are different within the same application, it will be treated as a duplicate.
• Provide high quality reports with clear and comprehensive reproducible steps. High quality submissions allow our team to better understand the issue and relay the bug to the internal teams to fix it quickly.

​

How to write report

Hello lunacal.ai Security Team,

## 1. Vulnerability Summary
Brief description of the security issue.

## 2. Affected Asset(s)
- Domain / Application:
- Endpoint / Feature (if applicable):

## 3. Steps to Reproduce
1. Step one
2. Step two
3. Step three

## 4. Impact
Explain what an attacker could achieve by exploiting this vulnerability.

## 5. Proof of Concept
- Screenshots / logs (if applicable)
- Private video link (optional):

## 6. Suggested Fix (Optional)
Any mitigation or fix suggestions, if available.

## 7. Researcher Details (Optional)
- Name / Alias:
- LinkedIn / Website:
- Preferred credit name (if any):

I confirm that this research was conducted in good faith and in accordance with lunacal.ai’s Responsible Disclosure Policy.

Thank you for your time and consideration.

Best regards,  
<Your Name or Alias>

​

Our Request to Researchers

• Please give us a reasonable time to investigate and address the reported vulnerability before publicly disclosing any details.
• Avoid testing beyond what is necessary to confirm the vulnerability to prevent disruption to our services.
• Do not share vulnerabilities or exploit details publicly until we have resolved the issue.
• Any testing, exploitation, or disclosure that is not conducted in good faith, exceeds what is necessary to demonstrate a vulnerability, results in service disruption, data access, or user harm, or violates applicable laws may lead to legal action by lunacal.ai.

​

Out of scope vulnerabilities

• Username Enumeration via signup and account & recovery forms
• Vulnerabilities regarding SPF/DMARC/DKIM records without verifiable proof of spoofing to a major mail client
• Best practice concerns like cookie is not marked secure and http only, missing HSTS, SSL/TLS configuration, missing security headers.
• Vulnerabilities reported by automated tools and scanners without additional proof of concept
• Vulnerabilities that only affect outdated app versions.
• Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks
• Exploits that need MITM or physical access to the victim’s device
• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF
• Previously known vulnerable libraries without a working Proof of Concept
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Open redirect vulnerabilities are out-of-scope by default, If you chain it with a different vulnerability and make it impactful we would be interested.
• Stack traces, directory listings or path disclosures
• Self XSS
• Social engineering attacks, both against users, employees

​

Hall of Fame