Vulnerability Disclosure Policy — Lantern

Last Updated: January 4, 2026

Our Commitment

Lantern is committed to the security and privacy of our users. We welcome security researchers and the community to help us identify and address potential vulnerabilities.

We believe in:

🔍 Transparency about our security posture
🤝 Collaboration with the security research community
🛡️ Continuous improvement of our defenses
🎯 Responsible disclosure that protects users

Scope

In Scope

The following are within scope for security research:

✅ Web application: https://ourlantern.app and https://dev.ourlantern.app
✅ Authentication & authorization: Login, signup, session management
✅ Encryption implementation: Client-side encryption vulnerabilities
✅ API endpoints: Firestore security rules, Firebase Functions
✅ Data handling: PII leakage, insecure storage, insufficient deletion
✅ Client-side security: XSS, CSRF, clickjacking, etc.

Out of Scope

❌ Social engineering of Lantern staff or users
❌ Physical security of offices or infrastructure
❌ DDoS attacks or intentional service disruption
❌ Third-party services (Firebase, Cloudflare) - report to them directly
❌ Spam or content violations - use our abuse reporting system
❌ Issues in dependencies - unless actively exploitable in Lantern

How to Report

Preferred Method

Email: security@ourlantern.app (coming soon - for now, use GitHub Issues for non-critical)

Please include:

Description: Clear explanation of the vulnerability
Impact: What could an attacker do? How severe?
Steps to reproduce: Detailed reproduction steps
Proof of concept: Code, screenshots, or video (if safe to share)
Suggested fix: If you have ideas (optional but appreciated)
Contact info: How we can reach you for updates

Encryption

PGP public key available on request for sensitive disclosures.

GitHub Issues

For non-sensitive security discussions:

Use label: security
Examples: Encryption best practices, architecture questions, general hardening

For critical vulnerabilities, please email directly (don't use public GitHub Issues).

What We Promise

Response Timeline

Milestone	Timeline	Details
Acknowledgment	48 hours	We confirm receipt of your report
Initial triage	7 days	We assess severity and impact
Status updates	Every 7 days	Regular progress reports
Fix deployment	30 days (critical) 90 days (non-critical)	Target timelines, may vary by complexity
Public disclosure	Coordinated	After fix is deployed and users updated

Recognition

We offer:

✅ Credit in our security advisories (if you want)
✅ Public thanks on our website/blog
✅ Swag (Lantern stickers, shirts when available)
🔄 Bounties (discretionary, when budget allows)

How we credit you:

Name (or handle) in advisory
Link to your website/Twitter (if provided)
Description of vulnerability found

If you prefer anonymity, just let us know—we respect that.

Transparency

When a vulnerability is fixed, we will:

Publish a security advisory with:
- Description of vulnerability
- Impact and severity
- Affected versions
- Credit to researcher
- Remediation steps for users
Notify affected users (if applicable)
Update our security documentation

Safe Harbor

Lantern commits to not pursuing legal action against security researchers who:

✅ Follow responsible disclosure:

Report vulnerabilities privately
Give us reasonable time to fix (30-90 days)
Don't actively exploit vulnerabilities on production

✅ Act in good faith:

Make a good faith effort to avoid privacy violations
Don't access more data than necessary to demonstrate the issue
Don't intentionally harm users or degrade service
Don't demand payment or rewards as a condition of disclosure

✅ Stay within scope:

Test only on accounts you control
Don't exfiltrate user data
Don't test on production systems without permission

If you're unsure whether your testing would violate this policy, please ask first.

Security Research Guidelines

Do's ✅

Do test on your own accounts
Do use our development environment (dev.ourlantern.app) when possible
Do document your findings thoroughly
Do suggest fixes or mitigations
Do ask questions if unsure about scope
Do report even if you're not sure it's exploitable

Don'ts ❌

Don't access or modify other users' data
Don't perform load testing or DDoS attacks
Don't use automated scanners without prior approval
Don't publicly disclose before we've patched
Don't leverage vulnerabilities for personal gain
Don't spam or harass our systems

Severity Guidelines

We use CVSS v3.1 for severity scoring, but here's a simplified guide:

Critical (9.0-10.0)

Remote code execution
Authentication bypass affecting all users
Encryption key exposure
Mass data breach

Response: Emergency patch within 24-48 hours

High (7.0-8.9)

Authentication bypass affecting some users
SQL injection or NoSQL injection
Privilege escalation
Sensitive data exposure (PII)

Response: Patch within 7 days

Medium (4.0-6.9)

CSRF on sensitive actions
Information disclosure (non-PII)
Authorization flaws
Insecure defaults

Response: Patch within 30 days

Low (0.1-3.9)

Missing security headers
Cookie security issues
UI/UX security improvements
Rate limiting gaps

Response: Patch within 90 days

Bounty Program (Future)

Current Status

⏳ Not yet active - We're a small team with limited budget.

When We'll Start

We plan to launch a formal bug bounty program when:

We have raised funding or reached profitability
We've completed an external security audit
We have dedicated security engineering resources

What to Expect

When active, bounties will likely be:

Critical: $500-$2,000
High: $200-$500
Medium: $50-$200
Low: Swag + recognition

For now: We offer recognition, credit, and our deep gratitude. 🙏

Example Reports (Anonymized)

Good Report ✅

Title: Stored XSS in Lantern Name Field

Description:
The Lantern Name field does not properly sanitize user input,
allowing an attacker to inject JavaScript that executes when
other users view the profile.

Impact:
An attacker could steal session tokens, perform actions on
behalf of victims, or redirect users to phishing sites.

Steps to Reproduce:
1. Create account
2. Set Lantern Name to: <script>alert(document.cookie)</script>
3. Have another user view your profile
4. JavaScript executes in victim's browser

Suggested Fix:
Sanitize all user input with DOMPurify before rendering.
Specifically, see UserProfile.jsx line 42.

Severity: High (CVSS 7.5)

Poor Report ❌

Title: Security vulnerability

Description:
Your site has a bug.

Steps:
Just look at the code.

Impact:
Bad.

Why it's poor: No details, no reproduction steps, no impact assessment.

FAQs

Q: Can I test on production?

A: Only on accounts you control. Don't access other users' data or disrupt service.

Q: What if I found something but I'm not sure it's a vulnerability?

A: Report it anyway! We'd rather triage a non-issue than miss a real vulnerability.

Q: Can I automate testing?

A: Ask first. Automated scanners can disrupt service. We may provide a test environment.

Q: Will you fix all reported issues?

A: We'll fix all valid security issues. We may deprioritize low-severity issues or accept certain risks with documentation.

Q: Can I publish a blog post about my findings?

A: Yes, after we've deployed a fix and coordinated disclosure timeline. We encourage public research!

Q: What if we disagree on severity?

A: We'll discuss it transparently. We use CVSS scoring and industry standards, but we're open to debate.

Community Security Ethos

We Believe In

✅ Security by design - Build it right from the start
✅ Defense in depth - Multiple layers of protection
✅ Least privilege - Minimal access, minimal data
✅ Transparency - Open about our approach and limitations
✅ Collaboration - Security is a team sport

We're Open To

💡 Architecture feedback - "Have you considered...?"
💡 Best practice suggestions - "Industry standard is..."
💡 Threat modeling - "What if an attacker...?"
💡 Alternative approaches - "Signal does it this way..."

We're not perfect. We're a small team doing our best. If you see something that could be better, please tell us. We're listening.

Contact

Primary: security@ourlantern.app (coming soon)
Backup: GitHub Issues (public, non-sensitive only)
PGP Key: Available on request

Response time: We aim for 48 hours, but we're a small team. If urgent, mark it as such.

Updates to This Policy

We'll update this policy as we grow. Major changes will be:

Announced to researchers who've previously reported
Posted on our blog/website
Versioned in our GitHub repository

Last major update: January 4, 2026 - Initial comprehensive policy

Thank you for helping us keep Lantern secure! 🔒

Together, we can build something trustworthy.

Vulnerability Disclosure Policy — Lantern ​

Our Commitment ​

Scope ​

In Scope ​

Out of Scope ​

How to Report ​

Preferred Method ​

Encryption ​

GitHub Issues ​

What We Promise ​

Response Timeline ​

Recognition ​

Transparency ​

Safe Harbor ​

Security Research Guidelines ​

Do's ✅ ​

Don'ts ❌ ​

Severity Guidelines ​

Critical (9.0-10.0) ​

High (7.0-8.9) ​

Medium (4.0-6.9) ​

Low (0.1-3.9) ​

Bounty Program (Future) ​

Current Status ​

When We'll Start ​

What to Expect ​

Example Reports (Anonymized) ​

Good Report ✅ ​

Poor Report ❌ ​

FAQs ​

Q: Can I test on production? ​

Q: What if I found something but I'm not sure it's a vulnerability? ​

Q: Can I automate testing? ​

Q: Will you fix all reported issues? ​

Q: Can I publish a blog post about my findings? ​

Q: What if we disagree on severity? ​

Community Security Ethos ​

We Believe In ​

We're Open To ​

Contact ​

Updates to This Policy ​