Lumin logo
Try for freeSign in
Request a demo
Sign in
Try for free

Bug bounty program

Find security issues in Lumin to earn rewards and secure your spot in our Hall of Fame through our vulnerability disclosure program.

Table of contents

  • Policy
  • Rewards
  • Rules for reporting
  • In scope
  • Out of scope
  • What we are looking for
  • What we are not looking for

Policy

The following guidelines give you an idea of what we usually pay out for different classes of security issues. Low-quality issues may be rewarded below these tiers, so please make sure that there is enough information for us to be able to reproduce your issue and step-by-step instructions including how to reproduce your issue. Screenshots are also helpful, but please make sure to not make these public before submitting them to follow our program’s rules.

Rewards

Security vulnerability: Most critical, Critical, High, Medium, Low; Mobile crash/ANR
Security vulnerabilityMobile crash/ANR
Most criticalCriticalHighMediumLow
600 USD - 1200 USD400 USD - 600 USD200 USD100 USD50 USD500 USD
Security vulnerability: Most critical, Critical
Security vulnerability
Most criticalCritical
600 USD - 1200 USD400 USD - 600 USD
Security vulnerability: High, Medium
HighMedium
200 USD100 USD
Security vulnerability: Low
Low
50 USD
Mobile crash/ANR
Mobile crash/ANR
500 USD

Rules for reporting

  1. Report a qualifying vulnerability that is in the scope of our program (below).
  2. Be the first person to report the vulnerability.
  3. Be reasonable with automated scanning methods so as to not degrade services.
  4. Refrain from disclosing the vulnerability until we've addressed it.
  5. NEVER try to gain access to a real user's account or data.
  6. You must not leak, manipulate, or destroy any user data.
  7. Do not impact users with your testing.
  8. For mobile crashes/ANRs: include the device model, OS version (Android/iOS), and Lumin app version. Share relevant crash logs or recordings if possible.

In scope

  1. app.luminpdf.com
  2. luminpdf.com
  3. Android & iOS applications
  4. sign.luminpdf.com

Out of scope

  1. tools.luminpdf.com
  2. help.luminpdf.com

What we are looking for

  1. Cross-site scripting (XSS)
  2. Cross-site request forgery (CSRF)
  3. Insecure direct object reference (IDOR)
  4. Account takeovers
  5. SQL injection
  6. Authentication flaws
  7. Remote code execution (RCE)
  8. Server-side request forgery (SSRF)
  9. XML External Entity Attacks (XXE)
  10. Crashes or ANRs on the mobile app
  11. Anything not listed but important

What we are not looking for

  1. Vulnerabilities requiring physical access to the victim's unlocked device
  2. Denial of Service attacks
  3. Brute force attacks
  4. Spam or social engineering techniques
  5. Content spoofing
  6. Best practices concerns
  7. Issues relating to password policy
  8. Issues relating to token lifetime
  9. User enumeration
  10. Full path disclosure on any property
  11. CSRF-able actions that do not require authentication (or a session) to exploit
  12. Reports related to missing security headers
  13. CSV injection
  14. Reverse tabnabbing
  15. Bugs that do not represent any security risk
  16. Crashes and ANR issues that are not reproducible
  17. Vulnerabilities that are limited to unsupported browsers

How to report?

Please send all security reports to [email protected]

Learn more about Lumin security

Lumin has a robust, modern security system. We focus on customized security solutions in conjunction with industry-standard compliance.

Explore security center
Explore security