Report a Security Vulnerability
Help us keep Mendora secure by reporting potential security vulnerabilities. We take security seriously and appreciate responsible disclosure from the security community.
Submit a Vulnerability Report
Please provide as much detail as possible to help us understand and address the security issue.
Our Security Response Process
We follow a structured process to handle vulnerability reports efficiently and responsibly.
Submit Report
Fill out the vulnerability report form with detailed information about the security issue.
Initial Review
Our security team reviews your report within 24 hours and provides an initial assessment.
Verification
We reproduce and verify the vulnerability, working with you to understand the full scope.
Resolution
We develop and deploy a fix, then notify you when the vulnerability has been resolved.
Recognition
Eligible researchers receive recognition and rewards through our bug bounty program.
Security Research Guidelines
Please review these guidelines before conducting security research on Mendora's systems.
Responsible Disclosure
- Do not access, modify or delete data that belongs to others
- Do not perform actions that could harm our users or our service
- Do not publicly disclose the vulnerability until we have resolved it
- Provide us with reasonable time to investigate and resolve the issue
- Do not use social engineering, physical attacks or denial of service
In Scope
- All Mendora web applications (*.mendora.life)
- Mendora mobile applications (iOS & Android)
- API endpoints and web services
- Authentication and authorization mechanisms
- Data handling and storage vulnerabilities
Out of Scope
- Third-party applications and services
- Physical security issues
- Social engineering attacks
- Denial of Service (DoS) attacks
- Content spoofing and text injection without impact
- Issues requiring user interaction with malicious files
Report Quality
- Provide clear and detailed steps to reproduce
- Include proof of concept when possible
- Describe the potential impact accurately
- Use the severity classification correctly
- Submit one vulnerability per report for clarity
Severity Classification
Use these guidelines to classify the severity of vulnerabilities in your reports.
Critical
Vulnerabilities that can be exploited remotely without authentication and could lead to system compromise
Examples:
- • Remote code execution
- • SQL injection with admin access
- • Authentication bypass
High
Vulnerabilities that significantly compromise user data or system integrity
Examples:
- • Privilege escalation
- • Sensitive data exposure
- • CSRF on critical functions
Medium
Vulnerabilities that could allow unauthorized access to limited data or functionality
Examples:
- • XSS with limited impact
- • Information disclosure
- • Business logic flaws
Low
Vulnerabilities with minimal security impact
Examples:
- • Self-XSS
- • Minor information disclosure
- • UI redressing
Legal Safe Harbor
Mendora supports responsible vulnerability disclosure. When conducting security research according to this policy, we will not pursue legal action against you for:
- • Accessing our systems to identify security vulnerabilities
- • Circumventing security measures during your research
- • Accessing data during your research, provided you do not share it with others
We ask that you:
- • Make every effort to avoid privacy violations and data destruction
- • Use the minimum amount of data necessary to demonstrate a vulnerability
- • Report vulnerabilities promptly
- • Keep vulnerabilities confidential until they are resolved
Important: This policy does not authorize testing on third-party systems that may be connected to or accessible through Mendora's infrastructure. Always ensure you have explicit permission before testing systems you do not own.