Request accessJoin researcher waitlist

lumenify.xyz / private disclosure infrastructure

Private disclosure. Real security.

Lumenify gives Web3 protocols a high-signal vulnerability intake and expert triage process without charging researchers to submit.

Reports are evaluated by reproducibility, impact, scope, and root cause. Not by politics, paywalls, or guesswork.

Request protocol accessJoin as researcher
submitResearcher report01
proofPoC evidence02
reviewTriage review03
SLAProject response04
reasonStructured closure05
RPT-0xA93FValidated

Accounting path accepts stale vault share state

ImpactTemporary freezing
Root causestate asymmetry
Scopevault adapter
PoCreproducible

the gap

Web3 disclosure is noisy. Serious reports get buried.

Vulnerability disclosure should be a technical process. Too often it becomes a negotiation over politics, opacity, and platform incentives.

What researchers experience

supply side
  • Pay-to-submit gates before technical review.
  • Arbitrary closures with vague or missing rationale.
  • Duplicate claims without same-fix analysis.
  • Ignored reports and invisible project response quality.

What protocols experience

demand side
  • Spam, hallucinated reports, and low-signal submissions.
  • Unclear scope mapping and inconsistent severity claims.
  • Triage fatigue that pulls engineers away from fixes.
  • Loss of credibility when closure decisions are opaque.

approach

Evidence-based triage, built into the workflow.

Lumenify is not an open bounty marketplace. It is managed vulnerability intake and expert triage infrastructure for serious Web3 protocols.

RULE 01

No researcher paywalls

Researchers never pay to submit technical work. Signal comes from evidence, not submission fees.

RULE 02

Technical closure reasons required

A report cannot be closed with a label alone. Closure requires a technical explanation.

RULE 03

Duplicates require same-fix sufficiency

Duplicate means same root cause, same affected path, same impact, and one fix resolves both.

RULE 04

SLA accountability

Project response times are tracked. Missed acknowledgement and triage windows affect responsiveness metrics.

product

Private intake. Expert triage. Accountable resolution.

The MVP is a private disclosure room with real operational controls: report evidence, triage judgment, project response, and structured decisions.

Private threadcase: LUM-2026-0042
RPT-0xA93FValidated

Accounting path accepts stale vault share state

ImpactTemporary freezing
Root causestate asymmetry
Scopevault adapter
PoCreproducible
R

PoC attached. The freeze reproduces after the last withdrawer exits and the first new depositor re-enters.

T

Scope mapped to vault accounting. Asking project to verify same-fix sufficiency against prior report hash.

Private report submission

intake

Guided fields for target, scope, root cause, impact, reproduction, and PoC attachments.

Project + researcher thread

private

One report, one private record, one shared timeline. No public issue leakage.

Expert triage notes

review

Manual review maps evidence to exploitability, affected path, severity, and duplicate status.

Structured closure forms

rules

A decision cannot close without rationale, citations, and impact reasoning.

SLA dashboard

metrics
ACK SLA24h
First technical response72h
Decision requiredreasoned

Researcher reputation signals

quality
Accepted12
Reproducible94%
Duplicate ratelow

for protocols

Less noise. Better decisions.

Give your engineering team a private vulnerability intake process with expert triage, clear severity mapping, duplicate review, and response-time accountability.

  • Reduce triage burden.
  • Improve signal quality.
  • Track response SLAs.
  • Enforce structured closure logic.
  • Build credibility with serious researchers.
Request pilot access

for researchers

Submit serious work without paying at the door.

Lumenify is built for researchers who care about proof, impact, and technical rigor. Reports are judged by evidence, not writing style or platform politics.

  • No pay-to-submit.
  • AI-assisted writing is allowed; hallucinated reports are rejected.
  • Technical rejection reasons required.
  • Duplicate claims must be justified.
  • Reputation is built from accepted, reproducible work.
Join researcher waitlist

workflow

From report to resolution.

Every status is operational. Each transition records what changed, who owns the next step, and which evidence is required.

01

Submitted

Researcher provides affected asset, root cause, impact claim, reproduction steps, and PoC evidence.

Evidence: asset + PoC + impact
02

Acknowledged

Project confirms receipt within SLA. The clock is visible to all parties in the private thread.

Evidence: timestamp + owner
03

In Triage

Expert review maps the report to scope, affected path, practical exploitability, and severity framework.

Evidence: scope + path + severity
04

Needs Info

Clarification requests must be specific: missing inputs, failing step, affected commit, or impact proof.

Evidence: repro delta
05

Validated

The report is reproducible or technically accepted as a valid vulnerability candidate.

Evidence: root cause + reproduction
06

Accepted / Closed

Every final decision carries a structured closure reason, duplicate analysis, or scope citation.

Evidence: reason + references
07

Resolved

Resolution tracks fix references, disclosure status, and post-fix verification when applicable.

Evidence: fix + verification

principles

Our rules are the product.

Process quality is not optional. The platform enforces the standards that serious vulnerability disclosure needs.

out-of-scope

Must cite the exact written scope clause.

duplicate

Must cite prior report hash or internal ID and same-fix analysis.

intended behavior

Must cite docs, code comments, architecture notes, or explicit design decisions.

severity downgrade

Must explain the impact delta and map to the project-specific severity overlay.

AI-assisted writing

No closure solely because a report looks AI-written. Hallucinated or non-reproducible reports are rejected on evidence.

private pilot

Launching invite-only.

We are onboarding a small group of EVM DeFi protocols and high-signal researchers for the first private pilot.

3-5

pilot protocols

Mid-sized EVM DeFi teams with active engineering and real vulnerability intake needs.

5-10

trusted researchers

Pseudonymous participation allowed. Reputation starts from evidence, PoCs, and vouching.

EVM DeFi

first ecosystem

Vaults, lending, staking, bridges, perps, and asset-management protocols first.

No custody

v1 boundary

No escrow or bounty custody in v1. The first product proves workflow and trust.

Request protocol access

Join researcher waitlist

lumenify.xyz

Bring serious reports into the light.

Request protocol accessJoin researcher waitlist