Responsible disclosure

full policy + safe harbor

If you find a vulnerability in anything we operate, we want the report — and we want reporting to be safe, fast, and worth your while. This is the complete policy: scope, rules, our commitments to you, and the safe harbor we extend to good-faith research.

How to report

Email security@myndlabs.ai with steps to reproduce, the impact you believe the issue has, and any proof-of-concept material. One issue per report. We acknowledge within 48 hours, give you a substantive assessment within 5 working days, and keep you informed through remediation. If you want credit, you get credit — on the bug bounty recognition page, by the name or handle you choose.

In scope

  • myndlabs.ai and all routes under it
  • Public API endpoints under /api/*
  • Authentication, capability-token, and rate-limit logic
  • The Y0 runtime surfaces we operate at y0.myndlabs.tech

Out of scope

  • Denial-of-service and volumetric attacks of any kind
  • Social engineering of Mynd Labs staff or users
  • Third-party services we link to but do not operate
  • Automated scanner output with no demonstrated impact
  • Missing best-practice headers on pages with no sensitive function

Rules of engagement

  • Do not access, modify, or delete data that is not yours — use accounts you control.
  • Do not degrade the service for other users while testing.
  • Stop and report immediately if you encounter someone else's data.
  • Give us 90 days to remediate before any public disclosure; we will usually be far faster and will coordinate timing with you.

Safe harbor

If you make a good-faith effort to follow this policy, we consider your research authorized under applicable anti-hacking and anti-circumvention laws. We will not initiate legal action against you for it, and if a third party does, we will state on the record that your activities were conducted in compliance with this policy. Good faith means staying in scope, respecting the rules above, and reporting promptly. This safe harbor does not cover actions that exceed the policy, and it cannot bind parties other than Mynd Labs — which is exactly why we commit to saying, publicly if needed, that you acted with our authorization.

Our commitments back to you

  • Acknowledgement within 48 hours, assessment within 5 working days.
  • A named human on the thread — not a ticket queue.
  • You hear what changed because of your report, not just that it was 'resolved'.
  • Credit on the recognition page, or anonymity, at your choice.

machine-readable policy at /.well-known/security.txt

More security topics

[next]Encryption