Vulnerability Disclosure Policy & Bug Bounty Program

Our Commitment

At Lucena Health, the security of our systems and the privacy of our users data are our top priorities. We believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you have found a security vulnerability in Lucena Health systems, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

In-Scope Properties

The following domains and systems are in-scope for our Vulnerability Disclosure Policy:

• *.lucena.health
• api.lucena.health
• LUNA Avatar Kiosk
• Student Enrollment systems

Out-of-Scope

Any services hosted by 3rd party providers and services not listed above are excluded from scope. Additionally, the following vulnerabilities are excluded from the rewards program:

• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Spamming
• Social engineering or phishing of Lucena Health employees or contractors
• Physical attacks against Lucena Health property or data centers

Reporting Guidelines

Please provide detailed reports with reproducible steps. Submit your report securely to our security team. If the report provides a significant risk and is reproducible, you may be eligible for a bounty reward based on the severity of the vulnerability.

Please avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or for which you have explicit permission from the account holder.