Security policy

1. Scope

In scope:

• Web app + APIs served from *.lumendentalprep.com — including the marketing site, exam hubs, mock player, admin surfaces, billing endpoints, and any first-party API route.

Out of scope (handled by their own programs):

• Marketing email sent from lumendentalprep.com — spoofing / phishing concerns should be reported to the email provider listed in the message headers.
• Third-party services we use — report directly to the vendor: Supabase, Stripe, Vercel, Resend. If the issue surfaces through our integration with one of them, send it to us too — we will help triage.

2. How to report

Send an encrypted email to security@lumendentalprep.com. PGP is optional — request our public key in your first message if you want an encrypted channel for follow-ups.

Please include:

• The vulnerable URL or API endpoint.
• Reproduction steps (the minimum sequence that triggers it).
• Expected vs. actual behavior.
• Your name or handle for credit in the hall of fame (or tell us you prefer to stay anonymous — both are fine).

Screenshots and a short proof-of-concept video help more than a long writeup. If the issue requires an authenticated session, tell us — do not create extra test accounts beyond what is needed to reproduce.

3. What to expect

• Initial acknowledgement within 5 business days. We confirm we received the report and started triage.
• Status update within 14 days. We tell you the severity we have assigned and the expected fix timeline.
• Resolution timeline scales with severity:
  • P0 (auth bypass, RCE, mass PII exposure) — within 30 days.
  • P1 (privilege escalation, sensitive-data leak) — within 60 days.
  • P2 / P3 — rolled into the regular release cadence.
• Public disclosure after the fix has shipped, with credit if you want it. We will tell you before we publish.

4. Safe-harbor

We will not pursue legal action against you for good-faith security research conducted within the scope of this policy. Good-faith research means:

• No data exfiltration. Confirm the vulnerability with the minimum data needed and stop. Do not download or retain other users’ data.
• No destructive testing. Do not delete, modify, or DoS production data, accounts, or services. Do not run aggressive automated scanners against production.
• No social engineering of Lumen employees, contractors, or vendors. Phishing, pretexting, and physical attacks are out of scope.
• Respect user privacy. If you discover personal data, stop, report, and securely delete any copies in your possession.
• Give us time to fix. Do not publicly disclose until we have agreed on a date.

Research outside these limits is not protected by this policy. If you are unsure whether a specific test crosses the line, ask us first — we would rather help you stay inside the safe-harbor than argue afterwards.

5. What’s out of scope

We will close these reports without further action:

• Clickjacking on pages with no sensitive actions.
• Missing CSP, HSTS, or other hardening headers on purely static marketing pages.
• Automated-scanner output without manual verification — please confirm the issue is real before sending.
• Self-XSS or social-engineering scenarios that require the victim to paste code into their own browser console.
• Rate-limit bypass on read-only endpoints with no abuse impact.
• Outdated browser warnings, missing CAA records, or other informational findings without a concrete exploit.
• Vulnerabilities in third-party services (Supabase, Stripe, Vercel, Resend) — report directly to the vendor.

6. Hall of fame

Researchers who have helped us harden the platform. We add contributors here after a fix has shipped and they have given permission for public credit.

• No reports yet — you could be the first.

7. Canonical contact

The canonical machine-readable contact info lives at /.well-known/security.txt (also reachable at /security.txt) per RFC 9116. If anything on this page conflicts with the signed security.txt, the security.txt wins.