responsible-disclosure

Responsible Disclosure Policy

Last Updated: 25 February 2025

Introduction

At MindPal, the security of our customers’ data is our priority. We welcome collaboration with security researchers to identify and resolve vulnerabilities responsibly. By adhering to this policy, you help us maintain a safe environment for our users.

---

Reporting a Vulnerability

1. Submit via Email:
   • Send details to security@mindpal.co
   • Include “Security Disclosure: [Brief Description]” in the subject line.
2. Required Information:
   • Summary: Vulnerability description, potential impact, and affected systems.
   • Steps to Reproduce: Detailed instructions, screenshots, or video PoC.
   • Environment: OS, browser, device, and app versions used during testing.
   • Exploit Code: If applicable, share non-destructive proof-of-concept code.
   • CVSS Score: Optional, but encouraged for severity assessment.
3. What to Expect:
   • Initial Response: Within 48 business hours.
   • Investigation: Acknowledgment of receipt and updates at key milestones.
   • Resolution: We aim to resolve critical issues within 30 days and will notify you once fixed.

---

Our Commitment

• Transparency: Regular communication during the remediation process.
• Fair Assessment: All reports are evaluated based on severity, impact, and reproducibility.
• Safe Harbor: We will not pursue legal action against researchers who:
  • Act in good faith and comply with this policy.
  • Avoid privacy violations, data destruction, or service disruption.
  • Refrain from reverse engineering or violating laws (e.g., GDPR, CCPA).

---

Rewards & Recognition

We value the efforts of those who contribute to the security of our services by reporting vulnerabilities. While not all reports will qualify for financial compensation, we offer rewards based on the severity and impact of the vulnerability. Recognizable contributions may, in certain cases, qualify for financial compensation. Critical vulnerabilities that are severe, have a CVSS score of 4 or higher

• Exclusions:
  • Duplicate or known issues.
  • Vulnerabilities in out-of-scope systems (see below).
  • Low-risk findings (e.g., missing security headers, theoretical flaws).

---

Scope

In-Scope Assets:

• mindpal.co and subdomains (e.g., app.mindpal.co).
• APIs, web applications, and mobile apps owned by MindPal

Priority Vulnerabilities:

• OWASP Top 10 risks (e.g., SQLi, XSS, SSRF, insecure auth).
• Logic flaws enabling unauthorized access or data exposure.

Out-of-Scope:

• Third-party services not directly managed by MindPal
• Automated scanner reports (e.g., Nessus, Burp Suite).
• Social engineering, physical attacks, or DDoS attempts.
• Issues lacking demonstrable impact (e.g., clickjacking without PoC).

---

Researcher Guidelines

• Do:
  • Test only on accounts you own or have explicit permission to access.
  • Minimize disruption (e.g., avoid brute-force attacks or data deletion).
  • Securely delete any copied data post-investigation.
• Don’t:
  • Disclose vulnerabilities publicly before approval (allow 90 days post-resolution).
  • Exploit the vulnerability beyond proof-of-concept.
  • Violate user privacy or applicable laws.

---

Questions?

Contact security@mindpal.co for policy clarifications.