Vulnerability Disclosure Policy
Last Updated: December 2, 2025
Version 1
Security
Vulnerability Disclosure & Bug Bounty Policy
Policy ID: VDP-2024-001-SEC
Effective Date: December 1, 2024
Last Updated: December 3, 2024
Version: 1.0
Bounty Program Status: ACTIVE
1. Introduction & Purpose
1.1 Our Commitment
At Milenial Compliance Platform, we prioritize the security and privacy of our users' data. We recognize the critical role that security researchers play in maintaining the security of our platform. This policy outlines our approach to accepting and rewarding vulnerability disclosures.
1.2 Scope
This policy applies to all security vulnerabilities discovered in:
The Milenial Compliance Platform web application
Our public-facing APIs and integrations
Mobile applications (when available)
Third-party dependencies within our control
Infrastructure supporting our services
1.3 Core Principles
Responsible Disclosure: We encourage coordinated disclosure
Transparency: Clear communication about our process
Fairness: Equitable treatment of all researchers
Recognition: Proper acknowledgment for contributions
2. Safe Harbor Provisions
2.1 Legal Protection
We provide legal safe harbor for security researchers who:
Make a good faith effort to avoid privacy violations
Do not access or modify user data without permission
Refrain from disrupting our services
Comply with all terms of this policy
2.2 What We Promise
We will not initiate legal action against you if you:
Report vulnerabilities through our official channels
Allow us a reasonable time to address the issue
Avoid violating laws or causing harm
Do not publicly disclose the vulnerability before we've fixed it
2.3 What We Expect
In return, we expect you to:
Test only against systems you own or have explicit permission to test
Respect our users' privacy and data
Not exploit any vulnerability you discover
Keep vulnerability details confidential until we authorize disclosure
3. Reporting Procedures
3.1 How to Report
Submit all vulnerability reports to: security@milenial.com
Or use our Security Researcher Portal for structured submissions.
3.2 Required Information
Your report should include:
1. Contact Information: Your name and preferred contact method
2. Vulnerability Description: Clear, concise description of the issue
3. Impact Assessment: Potential impact of the vulnerability
4. Steps to Reproduce: Detailed reproduction instructions
5. Proof of Concept: Screenshots, videos, or code demonstrating the issue
6. Suggested Remediation: Ideas for fixing the issue (if any)
7. Discovery Date: When you found the vulnerability
8. Disclosure Plans: Your intended disclosure timeline
4. Program Scope
4.1 In-Scope Vulnerabilities
We welcome reports of the following vulnerabilities in our systems:
4.1.1 Critical Impact
Remote Code Execution (RCE)
SQL Injection with data extraction
Authentication/Authorization bypasses
Privilege escalation to admin access
Cross-Site Scripting (XSS) leading to account takeover
4.1.2 High Impact
Server-Side Request Forgery (SSRF)
Insecure Direct Object References (IDOR) with significant data exposure
Cross-Site Request Forgery (CSRF) with critical impact
XML External Entity (XXE) injection
Business logic flaws with financial impact
4.1.3 Medium Impact
Cross-Site Scripting (XSS) without account takeover
Information disclosure of sensitive data
Insecure file upload vulnerabilities
API rate limiting bypasses
Open redirects with security implications
4.1.4 Low Impact
Security misconfigurations
Clickjacking on non-sensitive pages
Reflective file download vulnerabilities
Missing security headers on non-critical endpoints
4.2 Out-of-Scope Vulnerabilities
The following are NOT eligible for bounties:
4.2.1 Non-Qualifying Issues
Theoretical vulnerabilities without proof of concept
Social engineering attacks (phishing, vishing)
Physical security weaknesses
Denial of Service (DoS/DDoS) vulnerabilities
Spam or rate limiting issues without security impact
Missing best practices without exploitable impact
Vulnerabilities in third-party services we don't control
Issues requiring physical access to user devices
Self-XSS or issues requiring unlikely user interaction
4.2.2 Excluded Testing Methods
Automated scanning without manual verification
Testing against production systems with real user data
Any testing that could impact service availability
Social engineering of Milenial employees or contractors
Physical intrusion attempts
Testing against systems not explicitly in scope
4.3 Testing Environment
We provide a dedicated testing environment:
Staging URL: https://staging.milenial.com
Test Accounts: Available upon request
API Sandbox: https://api-sandbox.milenial.com
5. Response Timelines
5.1 Our Commitment to Timely Response
Stage | Timeline
-------|----------
Initial Acknowledgment | Within 24 hours
Triage & Severity Assessment | Within 3 business days
Status Update | Every 7 days during investigation
Remediation Target (Critical) | 7 days
Remediation Target (High) | 14 days
Remediation Target (Medium) | 30 days
Remediation Target (Low) | 90 days
Bounty Payment | Within 14 days of fix verification
5.2 Communication
All communications via secure email or portal
Regular status updates throughout the process
Clear notification when issues are resolved
6. Bounty Rewards
6.1 Reward Structure
Severity | Bounty Range
----------|--------------
Critical | $2,000 - $10,000
High | $1,000 - $2,000
Medium | $250 - $1,000
Low | $50 - $250
6.2 Bonus Multipliers
First Report: 1.5x for first valid report of a vulnerability class
Quality Report: 1.25x for exceptionally detailed reports
Fix Suggestion: 1.1x for reports with working fix suggestions
6.3 Payment Methods
PayPal
Bank Transfer (ACH/Wire)
Cryptocurrency (BTC, ETH)
Charitable Donation (in your name)
6.4 Eligibility Requirements
To receive a bounty, you must:
Be the first to report the vulnerability
Not be a current or former Milenial employee
Not be a resident of a country under U.S. sanctions
Comply with all terms of this policy
Provide valid payment information
7. Recognition & Acknowledgment
7.1 Hall of Fame
Researchers who submit valid vulnerabilities may be listed on our Security Hall of Fame with:
Name or handle (as preferred)
Country (optional)
Number of valid submissions
Severity levels contributed
7.2 Recognition Options
Public acknowledgment on our website
LinkedIn recommendation
Reference letter for employment
Swag and merchandise
Conference ticket sponsorship (for exceptional contributions)
7.3 Confidentiality
We respect your privacy:
Anonymous submissions accepted
No public disclosure without your consent
Handle/alias recognition available