No technology is perfect, and Myndr believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• This is a vulnerability disclosure program. The only bounty you can receive are the points you might receive for the platform.

Exclusions

While researching, we'd like to ask you to refrain from:

• Performing actions that may negatively impact Myndr or its users (for instance Denial of Service attacks, brute-force, spam)

• Accessing, or attempting to access, data or information that does not belong to you

• Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you

• Social engineering (including phishing) any Myndr service desk, employee or contractor

• Any physical or electronic attack against Myndr property or data centers

• Violating any laws or breaching any agreements in order to discover vulnerabilities

The following vulnerabilities typically will not qualify for our program:

• User account hacks that require user interaction

• bugs in embedded third party services like Intercom support chat

• Chat filter bugs

• Missing autocomplete attributes

• Missing flags on cookies that don’t house any sensitive information

• SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities

• Missing security-related HTTP headers which do not lead directly to a vulnerability. Issues that only affect a smaller user base (e.g. users on outdated browsers or other outdated software).

• Denial of Service vulnerabilities (DoS)

• Cross-site Request Forgery (CSRF) with minimal security implications (For example but not limited to login/logout/unauthenticated)

• Version information disclosure (without verifying the presence of an actual exploitable vulnerability)

• Password complexity related vulnerabilities

• Unverified or incomplete "Scanner output" or scanner-generated reports

• Vulnerabilities requiring physical access to the victim's unlocked device

• Bugs requiring exceedingly unlikely user interaction

• Disclosure of public information and information that does not present significant risk

• Vulnerabilities that Myndr determines to be an accepted risk will not be eligible for a paid bounty

• Language used in emails and policy documents

• SPF, DKIM or DMARC issues on sub-domains of myndr.nl

• HTML injection vulnerabilities with no direct risk

• Social engineering or following a link will not be considered for bounty

• Self XSS or similar vulnerabilities

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Myndr and our users safe!