mainder
Security Program

Vulnerability Disclosure Program

At Mainder, we take the security and privacy of our customers' data very seriously. We welcome responsible security research and are committed to working with researchers to verify and remediate vulnerabilities in a timely manner.

Report Vulnerabilities

Email us at security@mainder.ai

Response Time

We acknowledge reports within 3–5 business days

Safe Harbor

Good faith research is authorized and protected

Program Overview
Last updated: 17 November 2025 | Owner: Cristian Vera, CTO

This document describes our public Vulnerability Disclosure Program (VDP), which we also use as our lightweight bug bounty program.

Scope

✓ In Scope

  • Mainder web application: https://mainder.ai
  • Mainder API and backend services used by the production application
  • Any subdomains or services clearly operated by Mainder for its core product

✗ Out of Scope

  • Denial of Service (DoS/DDoS) attacks or stress testing that can degrade service
  • Social engineering attacks against Mainder employees or customers
  • Physical security attacks against Mainder offices or infrastructure providers
  • Third-party services that Mainder uses but does not control (e.g., cloud provider infrastructure)
  • Vulnerabilities in browser extensions, operating systems, or networks not under Mainder's control
How to Report a Vulnerability

If you believe you have found a security vulnerability in a Mainder system or application, please report it to us as soon as possible by emailing:

Contact Email:

security@mainder.ai

Include as much detail as possible:

  • A clear description of the vulnerability
  • Steps to reproduce, including URLs, parameters, and example requests/responses when applicable
  • Any relevant screenshots or proof-of-concept code
  • The impact you believe the issue could have
  • Your contact details so we can follow up with you

⚠️ Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it.

Our Commitments
When you report a vulnerability to us and follow this policy, we commit to:
1

Acknowledgement

Acknowledge receipt of your report within 3–5 business days.

2

Triage and Assessment

Evaluate the reported issue, assign a severity, and determine whether it is in scope.

3

Remediation

Work to remediate validated vulnerabilities in a timely manner, prioritising high and critical severity issues.

4

Communication

Keep you informed of the status of your report (triaged, in progress, fixed, etc.), subject to our internal processes and confidentiality obligations.

Researcher Guidelines
To help us protect our users and systems, we ask security researchers to:
  • Act in good faith and avoid actions that could cause harm to Mainder or its customers.
  • Only test against accounts and data that you own or have explicit permission to use.
  • Do not attempt to access, modify, or delete other users' data.
  • Do not exfiltrate data; if you accidentally access data, stop testing and report the issue immediately.
  • Avoid any testing that could degrade service or impact availability for other users.
  • Respect applicable laws at all times.
Safe Harbor

We will not initiate legal action against researchers for security research performed in good faith and in accordance with this policy. As long as you:

  • Make a good-faith effort to comply with this policy,
  • Avoid violating privacy or causing harm, and
  • Give us a reasonable opportunity to fix issues before public disclosure,

We will treat your research as authorized and will work with you to resolve the issue.

Rewards and Recognition

At this time, Mainder does not operate a formal paid bug bounty program with monetary rewards. However:

  • We may, at our discretion, offer public recognition (for example, in a "Security Hall of Fame" section on our website) for researchers who submit high-quality, impactful vulnerability reports.
  • As our program matures, we may introduce financial rewards or partner with a dedicated bug bounty platform (e.g., HackerOne, Bugcrowd) in the future.
Privacy and Data Protection

All vulnerability reports will be handled confidentially. Any personal data that you share with us as part of the report will be processed solely for the purpose of triaging, reproducing, and fixing the vulnerability, in line with our privacy and data protection obligations.

Questions?

If you have any questions about this policy or are unsure whether a test is in scope, please contact us at:

Contact Security Team