mmhmm Responsible Disclosure and Bug Bounty Policy

This text is provided as a courtesy translation.

Though we work hard to keep our services secure, we know that nothing can be 100% secure. We take notifications about security issues seriously, and will respond swiftly to fix verifiable security issues. We encourage you to report security issues using this form, so that we can fix them, and keep our users safe.

What is the scope of this policy?

Our responsible disclosure policy applies to mmhmm’s products, services and systems. That means that vulnerabilities found in vendor systems fall outside of the scope of this policy scope, and should be reported directly to the vendor. If you are not sure, contact us and we will be happy to help you.

Who does this policy apply to?

This policy applies to anyone who submits a potential vulnerability report (besides employees or affiliates of mmhmm).

Who may be eligible for a bounty?

We may pay, but do not guarantee, a bounty for certain types of vulnerability reports. You may be eligible for a bounty where: 1) the security issue is unique in scope; 2) you are the first to report the issue; 3) the security issue has not been disclosed publicly or to any third party; and 4) payment to you is not prohibited by any law and/or regulation that applies to mmhmm.  Again, the payment of a bounty is entirely at our discretion.

Which domains are in scope?

The domain mmhmm.app and any subdomain, with the exception of subdomains for our third party vendors.

What issues are eligible?

Please don't perform research that could impact our products, services or other users. Prohibited activities include, but are not limited to:

  • Degrading the performance of mmhmm products, services, or the experience of our users in any way
  • Conducting activities that risk disruption of our service
  • Using automated tools to find vulnerabilities. They are noisy and might result in denial of service
  • Engaging in activities that may result in the unauthorized access, modification, or loss of data belonging to either us or our users
  • Performing social engineering (including phishing) or denial of service attacks on mmhmm products or services
  • Using or accessing information or accounts that do not belong to you
  • Violating any applicable laws

Examples of issues that we would like to know about include typical security vulnerabilities, such as:

  • Authentication or Authorization flaws
  • Cross-site Scripting
  • Cross-site request forgery
  • File inclusion
  • Open redirect
  • Server-side code execution
  • Injection Flaws
  • Significant Security Misconfigurations

What issues are not eligible?

  • Issues already known to us and previously reported issues
  • Attacks that require social engineering (phishing, spam, etc.)
  • Self-XSS
  • Missing HTTP Headers, except where their absence fails to mitigate an existing attack
  • Volume-based denial of service
  • Lack of rate limits
  • Assumed vulnerability based upon version disclosure only
  • Missing cookie flags on non-sensitive cookies
  • Reports of insecure SSL/TLS ciphers (unless a PoC is present and not just a report from a tool/scanner)
  • Flaws affecting out-of-date browsers and plugins

What information should I include?

Please report security issues using this form in the following format and selecting “Security report” for “What best describes your issue?”:

Name:

Bug type:

Domain or Product:

URL:

PoC, screenshots, video, etc.:

Please only include one potential vulnerability per report, and do not send automated scanner results without proof of exploitability. We request that you keep reports short and clear; we will contact you if we need more information.

Other guidelines

  • We reserve the right to pay you a bounty, in an amount to be paid at our discretion, conditioned upon your compliance with this policy. Submission of a report does not guarantee payment.
  • Potential vulnerabilities may not be disclosed publicly until mmhmm has reviewed and remediated any issue.
  • Your participation does not create any kind of employment or partnership between you and mmhmm, and you must comply with all laws in connection with your participation in this program.
  • Any information you receive from mmhmm through your participation must be kept confidential.
  • All rights not otherwise granted within this policy are expressly reserved by mmhm, including intellectual property rights.
  • mmhmm reserves the right to discontinue the responsible disclosure program without prior notice at any time.

Any other questions or concerns related to security? Please contact us and we will try to help!