If you have found a security vulnerability in Lucid, please follow the guidelines below to disclose it to us safely.
Please report security vulnerabilities by emailing security@roost.moe. Include the following information in your report:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any relevant logs, screenshots, or proof-of-concept code
- The version of Lucid you are using
- Your assessment of the severity (e.g., low, medium, high, critical)
We will acknowledge receipt of your report within 48 hours and aim to provide an initial assessment within 5 business days.
- Do not open a public GitHub issue for security vulnerabilities. Public disclosure before a fix is available puts all users at risk.
- Do not exploit the vulnerability beyond what is necessary to demonstrate it.
- Do not access, modify, or delete data belonging to other users.
- Do not perform denial-of-service attacks or any testing that could degrade the service for others.
- Do not use automated scanners or tools against production systems without prior written permission.
- Do not disclose the vulnerability to third parties before it has been resolved.
- You report the vulnerability privately to security@roost.moe.
- We acknowledge your report and begin our investigation.
- We work on a fix and coordinate a release timeline.
- Once the fix is released, we publicly disclose the vulnerability with appropriate credit to the reporter (unless you prefer to remain anonymous).
We are interested in vulnerabilities that affect the Lucid project itself. Issues in third-party dependencies should be reported to the respective maintainers, though we appreciate a heads-up if a dependency vulnerability directly impacts Lucid.
Thank you for helping keep Lucid and its users safe.