Reporting a Vulnerability
If you have discovered a security vulnerability in LumaGrid, we want to hear from you. Please report it responsibly before disclosing it publicly.
Email: legal@lumagrid.uk
Subject line: Security Vulnerability Report
We will acknowledge your report within 48 hours and aim to resolve confirmed vulnerabilities within 30 days.
What to Include
- A clear description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any proof-of-concept code (if applicable)
- Your contact details (optional — we accept anonymous reports)
Our Commitment to You
- We will not take legal action against researchers who report vulnerabilities in good faith
- We will keep you informed of our progress
- We will credit you publicly if you wish, once the issue is resolved
- We ask that you give us reasonable time to fix the issue before public disclosure
Scope
In scope: lumagrid.uk, api.lumagrid.uk, and all subdomains operated by OGR Group Ltd.
Out of scope: third-party services we use (Cloudflare, Stripe, Resend). Please report those directly to the respective providers.
Platform Security
Infrastructure
Built on Cloudflare Workers + R2 + D1. DDoS protection, Bot Fight Mode, and HTTPS enforced on all routes. No origin servers — Cloudflare's edge handles all requests.
Data Encryption
Organiser personal data is encrypted at rest using AES-GCM before storage in D1. Payment data is handled entirely by Stripe — we never see or store card details.
Authentication
Magic link authentication — single-use tokens with 24-hour expiry, burned on first use. Admin access is protected by a separate secret not exposed to the frontend.
Content Safety
All uploads are processed through content reporting infrastructure. IP logging on every upload. Preservation holds prevent deletion of reported content. Known-CSAM hash checking via Microsoft PhotoDNA, with matched content quarantined and reported.
Security Contacts
- General security: legal@lumagrid.uk
- Safety & abuse: safety@lumagrid.uk
- Staff & internal access: staff@lumagrid.uk
- Machine-readable: /.well-known/security.txt