If you believe you’ve found a security vulnerability, please email security@lucyintheloop.org with details and a proof of concept. Optionally use our PGP key published in SECURITY.txt.

Coordinated Disclosure: We request 90 days to investigate, patch, and release before public disclosure. We will acknowledge reporters in release notes unless you request otherwise.

Safe Harbor: We will not pursue legal action for good-faith, non-destructive research that respects privacy, does not exploit data, and complies with applicable laws and this policy.

Additional security and data protection details are in docs/security-and-data-protection-policy.md.

If any incident results in unauthorized acquisition of identifiable health information from users (including wellness data handled by Lucy outside HIPAA), we will assess applicability of the FTC Health Breach Notification Rule (HBNR).

If HBNR applies, our target process is:

• Investigate and contain incident; preserve forensic evidence.
• Determine scope of affected individuals, data elements, and likelihood of harm.
• Provide individual notices without unreasonable delay and within required timelines; notify the FTC and, where applicable, media outlets per HBNR.
• Coordinate with counsel on state health-privacy laws (e.g., WA MHMDA, CA CPRA/CMIA) which may impose additional or shorter timelines.
• Document decision-making, timelines, and notices; update this policy and technical controls to prevent recurrence.

Report suspected breaches privately to security@lucyintheloop.org.