Security

Responsible Disclosure Policy

Last updated

We welcome reports from security researchers and value the work of the community in keeping MudraID and our users safe. This policy explains how to report a vulnerability and what you can expect from us.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorised, we will work with you to understand and resolve the issue quickly, and we will not pursue or support legal action against you. If a third party brings legal action and you have complied with this policy, we will make it known that your actions were conducted in compliance with it.

How to report

Email security@mudraid.ai with:

  • A clear description of the issue and its potential impact.
  • Step-by-step instructions to reproduce it (proof-of-concept, requests, or screenshots).
  • The affected URL, endpoint, or component.
  • Any suggested remediation, if you have one.

Research guidelines

  • Give us a reasonable time to investigate and remediate before any public disclosure.
  • Only interact with accounts you own or have explicit permission to test.
  • Do not access, modify, or delete data that does not belong to you.
  • Avoid privacy violations, service degradation, and destruction of data.
  • Do not run denial-of-service, spam, or social-engineering attacks against our staff or customers.

Out of scope

  • Findings from automated scanners without a demonstrated, exploitable impact.
  • Reports of missing best-practice headers or configurations without a concrete exploit.
  • Denial-of-service and volumetric attacks.
  • Social engineering, phishing, or physical attacks.

Our commitment

  • We will acknowledge your report after we receive it.
  • We will keep you informed as we investigate and remediate.
  • We will let you know when the issue is resolved.
  • With your permission, we are happy to credit you once a fix is released.

Questions about this policy? Contact security@mudraid.ai.