This security policy applies to all Lute open-source components.
Only the latest release of each component receives security updates.
Please do not open a public GitHub issue for security vulnerabilities.
Instead, report vulnerabilities via email to security@lute.app with "SECURITY" in the subject line.
Please include the following in your report:
- Description of the vulnerability
- Affected component(s)
- Steps to reproduce
- Impact assessment (what an attacker could achieve)
We will acknowledge your report within 5 business days.
- Acknowledgment — We confirm receipt of your report within 5 business days.
- Triage — We assess severity and determine affected components.
- Fix Development — We develop a patch and keep you informed of progress.
- Release — We publish the fix and a security advisory.
- Credit — We credit you in the advisory, unless you prefer to remain anonymous.
We ask that you give us 90 days to address a reported vulnerability before any public disclosure.
- We will keep you informed of our progress throughout the disclosure window.
- If a fix is released before the 90-day window closes, both parties are free to disclose.
- If we cannot meet the 90-day window, we will work with you to negotiate an extension.
In scope:
- Security vulnerabilities in Lute code
Out of scope:
- Vulnerabilities in third-party dependencies (please report these upstream)
- Hosting services or infrastructure providers
We will not pursue legal action against security researchers who:
- Act in good faith and follow this policy
- Avoid privacy violations, data destruction, and service disruption
- Report vulnerabilities through the process described above
We consider security research conducted under this policy to be authorized activity.