Reporting a Vulnerability

If you have discovered a security vulnerability in LumaGrid, we want to hear from you. Please report it responsibly before disclosing it publicly.

Responsible Disclosure

Email: legal@lumagrid.uk
Subject line: Security Vulnerability Report
We will acknowledge your report within 48 hours and aim to resolve confirmed vulnerabilities within 30 days.

What to Include

Our Commitment to You

Scope

In scope: lumagrid.uk, api.lumagrid.uk, and all subdomains operated by OGR Group Ltd.

Out of scope: third-party services we use (Cloudflare, Stripe, Resend). Please report those directly to the respective providers.

Platform Security

Infrastructure

Built on Cloudflare Workers + R2 + D1. DDoS protection, Bot Fight Mode, and HTTPS enforced on all routes. No origin servers — Cloudflare's edge handles all requests.

Data Encryption

Organiser personal data is encrypted at rest using AES-GCM before storage in D1. Payment data is handled entirely by Stripe — we never see or store card details.

Authentication

Magic link authentication — single-use tokens with 24-hour expiry, burned on first use. Admin access is protected by a separate secret not exposed to the frontend.

Content Safety

All uploads are processed through content reporting infrastructure. IP logging on every upload. Preservation holds prevent deletion of reported content. Known-CSAM hash checking via Microsoft PhotoDNA, with matched content quarantined and reported.

Security Contacts