Vulnerability Disclosure Policy

• Websites
• APIs and backend systems
• Mobile applications
• Cloud infrastructure

• Do not exploit the vulnerability or access data without authorization.
• Avoid privacy violations, data destruction, or service disruption.
• Give us reasonable time to investigate and address the issue before public disclosure.
• Do not use automated scanning tools without prior consent.
• Make a good faith effort to avoid privacy or service interruptions during your testing.

• We will acknowledge your report within 5 business days.
• We will investigate the issue and provide an estimated timeframe for a resolution.
• We will notify you when the issue is resolved.
• We will not take legal action against you if your actions are in line with this policy.

• Anonymous reports are taken seriously and prioritized.
• We won’t take legal action against good-faith reports.

• Rewards are based on impact and report quality.

• Description of the vulnerability
• Steps to reproduce the issue
• Any relevant screenshots or code snippets
• Your contact information (PGP key if available)
• You may optionally use our [PGP key / secure contact form] to encrypt your message.

Recognition
We may publicly recognize your contribution on our website or in release notes, with your permission. While we do not currently offer monetary rewards, we value and appreciate the time and effort of all responsible disclosures.


Exclusions
Please note that the following activities are not considered in scope:    

• Denial of Service (DoS) attacks
• Social engineering or phishing
• Physical security testing
• Attacks against third-party services or applications not owned by Mavim