Bug bounty

recognition program — honest about no cash yet

Here is the honest version: we run a recognition program, not a paid bounty. We are a small company and we will not promise payouts we cannot guarantee at every severity level — a bounty table we might renege on is worse than none. What we offer instead is real: fast human response, public credit, and a named slot in the hall of fame below.

What the program is

Every valid report gets a named human, an acknowledgement within 48 hours, and a substantive assessment within 5 working days.
Public credit — name or handle, your choice — in the hall of fame, permanently.
You hear what changed because of your report. Finding out your fix shipped is the part most programs skip.
The full safe harbor at /security/disclosure applies to all program research.

What it is not, yet

No cash rewards today. When the company can fund a payout table it can honor at every level, this page will change and the change will be announced — researchers who earned hall-of-fame slots before that date will not be forgotten in it. Until then we will not dress recognition up as compensation; we would rather be a small program that keeps its word than a generous-looking one that does not.

Hall of fame

Empty, honestly. No valid external vulnerability reports have earned a slot yet — which is a statement about our age and surface area, not our invulnerability.

[ first name earns the first slot ]

✓ report via security@myndlabs.ai — policy at /security/disclosure