Upmind’s customers trust us with their data, and we take that responsibility seriously. We welcome responsible security research and coordinated disclosure of vulnerabilities that could affect the confidentiality, integrity, or availability of our services.
This policy explains how to notify us about a suspected issue; what is in scope; what is out of scope; and the protections we extend to good-faith researchers.
Upmind does not operate a paid bug-bounty programme and cannot guarantee a monetary reward.
However, we value and act upon responsible disclosures, and may provide a reward at our discretion. To be eligible, we will need to confirm the validity and impact of the potential vulnerability.
<aside> 💡
Please note that we do perform automated scans using industry-standard tools (BURP suite, SSLChecker, etc.), and as such, we do not accept findings from automated tools unless they are non-standard or identify a critical vulnerability.
</aside>
✅ Do act in good faith and stop testing as soon as you confirm the vulnerability. ✅ Do limit traffic to 10 requests per second. ✅ Do use only accounts and data you own. ✅ Do provide a clear, concise report (see below). ❌ Do not run high-volume or destructive scans, fuzzers, or (D)DoS tools. ❌ Do not attempt social-engineering or phishing of Upmind staff or customers. ❌ Do not exfiltrate, view, or modify data that is not yours. ❌ Do not persist inside systems after proof of vulnerability. ❌ Do not publicly disclose before we have confirmed and resolved the issue.
You can create a ticket via. Upmind or email [email protected] directly.
Please include: