Vulnerability Disclosure
We are committed to working with security researchers to identify and remediate vulnerabilities in the Luretrace platform. If you believe you have discovered a security vulnerability, please report it to us before public disclosure.
- Submit reports to security@luretrace.com with a clear description of the vulnerability and steps to reproduce.
- We will acknowledge receipt within 48 hours.
- We will provide a remediation timeline within 10 business days of triage.
- We target remediation within 90 days for critical and high-severity findings.
- We ask that you refrain from publicly disclosing the vulnerability until we have released a fix or the 90-day window has elapsed.
Scope
The following are in scope for security research:
- The Luretrace console web application (luretrace.com)
- The sensor binary and its communication with the console API
- Console API endpoints
The following are out of scope:
- Denial of service attacks against production infrastructure
- Social engineering of Luretrace personnel
- Physical security attacks
- Attacks against third-party services (Vercel, Neon, AWS)
Penetration Testing
Customers who wish to conduct penetration testing against their own sensor deployments must notify us in advance at security@luretrace.com. Testing must be scoped to infrastructure you own or operate, and must not target the shared console platform or other customers' sensors.
Sensor Hardening
Luretrace sensors are designed to operate in adversarial environments. We apply the following hardening practices to sensor deployments:
- Sensors communicate with the console over TLS with certificate validation.
- Each sensor is issued a unique API key scoped to that sensor's identity.
- Sensor API keys are never embedded in binaries; they are provisioned at first boot and stored in memory only.
- Captured malware samples are transmitted in isolated containers and never executed on the sensor host.
- Sensors do not store captured credentials or payloads locally beyond the current session buffer.
Key Management
- Sensor API keys are unique per sensor and can be revoked individually from the console.
- Console session tokens are short-lived and invalidated on logout.
- API secrets and database credentials are stored exclusively as environment variables in the hosting environment — never in source code or configuration files.
- Customers should rotate sensor API keys whenever a sensor is decommissioned or if key compromise is suspected.
Incident Response
In the event of a confirmed security incident affecting the Luretrace platform or customer data, we will notify affected customers within 72 hours of confirmation. Notifications will be sent to the email address on file for your account.