// Security

Vulnerability Disclosure Policy

How to report security vulnerabilities to Luna and what to expect from us.

Last updated: 30 March 2026

Reporting a vulnerability

If you believe you've found a security vulnerability in Luna's platform, website, or infrastructure, we want to hear about it. Send your report to security@lunatech.xyz.

Please include as much of the following as you can:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue, including URLs, request/response pairs, or screenshots
  • The affected component (e.g. app.lunatech.xyz, API, website)
  • Your assessment of severity (Critical, High, Medium, Low)

What we commit to

  • Acknowledgement within 2 business days. We'll confirm we received your report and assign a tracking reference.
  • Initial assessment within 5 business days. We'll evaluate the report and let you know whether we've accepted it as a valid vulnerability.
  • Regular updates. We'll keep you informed of our progress towards a fix.
  • Credit. With your permission, we'll acknowledge your contribution once the issue is resolved.

Safe harbour

If you make a good-faith effort to comply with this policy during your research, we will consider your activity to be authorised. We will not pursue legal action against researchers who:

  • Act in good faith and avoid privacy violations, data destruction, and service disruption
  • Only interact with accounts they own or with explicit permission of the account holder
  • Stop testing and report the issue promptly once a vulnerability is discovered
  • Do not exploit a vulnerability beyond what is necessary to confirm it exists
  • Do not publicly disclose the vulnerability before we've had a reasonable opportunity to fix it

Scope

The following are in scope:

  • app.lunatech.xyz (the Luna platform)
  • api.lunatech.xyz (the Luna API)
  • app-staging.lunatech.xyz (staging platform)
  • api-staging.lunatech.xyz (staging API)
  • www.lunatech.xyz (this website)

Out of scope

The following are out of scope and should not be tested:

  • Physical attacks against Luna offices or infrastructure
  • Social engineering of Luna staff or customers
  • Denial of service attacks
  • Automated scanning that generates significant traffic
  • Vulnerabilities in third-party services we use (report those to the vendor)
  • Issues that require physical access to a user's device

Disclosure timeline

We aim to resolve confirmed vulnerabilities within 90 days. We ask that you give us this time before any public disclosure. If we need more time, we'll discuss it with you.

Once a fix is deployed, you're free to publish your findings. We'd appreciate a heads-up before you do so we can coordinate.

Contact

Report a vulnerability

Email: security@lunatech.xyz

For general security questions, visit our Security & Trust page.