If you discover a security vulnerability in LemonCake, please report it privately so we can address it before public disclosure.
Preferred channels:
- 📧 Email: security@lemoncake.xyz (primary)
- 🔒 GitHub Security Advisory: Report a vulnerability
Please include:
- A clear description of the vulnerability and impact
- Steps to reproduce (PoC code, request samples, etc.)
- Affected component (
api/,mcp-server/,dashboard/,create-lemon-agent/) - Affected version (npm package version, commit SHA, or "live production")
- Your suggested fix or mitigation, if any
| Severity | First response | Patch target |
|---|---|---|
| Critical (RCE / fund loss / auth bypass) | < 24h | < 72h |
| High (data leak / token forgery / XSS in admin) | < 48h | < 7d |
| Medium (CSRF / minor info disclosure) | < 7d | next release |
| Low (cosmetic / hardening) | < 14d | best-effort |
The following are in scope:
api.lemoncake.xyzAPI endpointslemoncake.xyz(dashboard / public site)lemon-cake-mcp(npm package, MCP server)create-lemon-agent(npm package, scaffold CLI)- Polygon USDC payment flows (HOT_WALLET handling, charge proxy)
- Pay Token JWT signing / scoping
- Webhook signature validation (Stripe, Coinbase Commerce)
Out of scope (will be closed without bounty):
- Vulnerabilities that require physical access to a buyer's machine
- Self-XSS without realistic delivery vector
- Best-practice issues (missing CSP headers, etc.) without proven exploitability
- Issues in third-party services we proxy (Hunter.io, Serper, etc.)
- Social engineering attacks against LemonCake operators
We follow coordinated disclosure:
- Reporter sends private report
- We acknowledge within 24h (critical) / 7d (low)
- We patch and deploy
- Reporter is credited (if they wish) in the release notes
- We publish a CVE / advisory after the fix has been live for ≥ 7 days
LemonCake is in early commercial stage; we do not currently run a paid bounty program, but we are committed to:
- Public acknowledgement (GitHub advisory + release notes + social media if you consent)
- Free LemonCake credits ($50–$500 depending on severity) for confirmed issues
- Reference / introduction to security teams in our network
We expect to formalize a paid bounty program once monthly revenue justifies it.
For time-critical issues affecting live USDC funds in motion (provider payouts, buyer balances), reach the maintainer directly on:
- LemonCake Discord (DM): see https://lemoncake.xyz for invite link
- Founder X DM: @aievid_jp
Please do not post live exploit details in public Discord channels or GitHub issues.