Vulnerability disclosure policy

1000minds takes security seriously and will respond to verifiable security issues.

We welcome any suggestions to improve this policy. The policy is subject to change without notice.

Responsible disclosure

Vulnerability reports should be kept confidential, succinct, and include the issue type, URL(s), severity, and all steps required to reproduce the issue.

Reports can be emailed to security@1000minds.com.

If you report a verifiable issue, 1000minds will publicly acknowledge you on this page.

Any security research should avoid anything that may affect other users of 1000minds.

Domains in scope

All 1000minds.com subdomains are in scope, but primarily app.1000minds.com.

Issues in scope

All web security issues are in scope, e.g. XSS, CSRF, open redirects, etc.

Any issues with no/low impact or likelihood are excluded, e.g.:

• Missing cookie flags on non-session cookies or 3rd party cookies
• Social engineering
• Denial of service
• Weak TLS ciphers
• Email spoofing, SPF, DMARC & DKIM
• Brute force attacks
• Password policy improvements
• Hardening tips (CSP, SRI)

Vulnerability scanners

1000minds does not allow any vulnerability scanners to be used against any 1000minds service unless explicitly requested by 1000minds.

The unapproved use of any vulnerability scanning tools may result in restrictions to your account and/or network without warning.

No beg bounties

Any reports that appear to be ‘beg bounties’ asking for payment in return for a disclosure will be ignored.