Report vulnerabilities without turning it into a procurement thread.

Include the affected route or endpoint, workspace context if relevant, reproduction steps, impact, logs or screenshots that do not expose secrets, and whether customer data or alert delivery could be affected.

Authentication, authorization, tenant isolation, ingest tokens, alert-channel configuration, workspace export, billing entitlement transitions, webhook handling, and production public surfaces under luota.dev.

Do not access, modify, destroy, or exfiltrate data that is not yours. Avoid persistence, social engineering, denial of service, spam, secret harvesting, and tests that degrade production. Reports following those boundaries are treated as authorized security research.

Luota aims to acknowledge credible reports within two business days, triage severity within five business days, and provide status updates for material issues until remediation or a documented risk decision.

Missing security headers without exploitability, generic scanner output, user enumeration without practical impact, self-XSS, clickjacking on non-sensitive pages, and reports requiring compromised accounts are usually out of scope.

Luota does not currently run a bug bounty. Reports are still appreciated and will be credited by name or handle if the reporter wants public acknowledgement and the issue is safe to disclose.