Vulnerability Disclosure Policy

Policy ID: VDP-2024-001-SEC · Effective Date: December 1, 2024 · Version: 1.0

Bounty Program Status: ACTIVE

1. Introduction & Purpose

1.1 Our Commitment

At Milenial Compliance Platform, we prioritize the security and privacy of our users' data. We recognize the critical role that security researchers play in maintaining the security of our platform. This policy outlines our approach to accepting and rewarding vulnerability disclosures.

1.2 Scope

This policy applies to all security vulnerabilities discovered in:

• The Milenial Compliance Platform web application
• Our public-facing APIs and integrations
• Third-party dependencies within our control
• Infrastructure supporting our services

1.3 Core Principles

• Responsible Disclosure: We encourage coordinated disclosure
• Transparency: Clear communication about our process
• Fairness: Equitable treatment of all researchers
• Recognition: Proper acknowledgment for contributions

2. Safe Harbor Provisions

2.1 Legal Protection

We provide legal safe harbor for security researchers who:

• Make a good faith effort to avoid privacy violations
• Do not access or modify user data without permission
• Refrain from disrupting our services
• Comply with all terms of this policy

2.2 What We Promise

We will not initiate legal action against you if you:

• Report vulnerabilities through our official channels
• Allow us a reasonable time to address the issue
• Avoid violating laws or causing harm
• Do not publicly disclose the vulnerability before we've fixed it

3. Reporting Procedures

3.1 How to Report

Submit all vulnerability reports to: security@milenialinc.com

3.2 Required Information

Your report should include:

• Contact information and preferred contact method
• Clear, concise description of the vulnerability
• Potential impact assessment
• Detailed steps to reproduce
• Proof of concept (screenshots, videos, or code)
• Suggested remediation if any
• Discovery date and intended disclosure timeline

4. Program Scope

4.1 In-Scope Vulnerabilities — Critical Impact

• Remote Code Execution (RCE)
• SQL Injection with data extraction
• Authentication/Authorization bypasses
• Privilege escalation to admin access
• Cross-Site Scripting (XSS) leading to account takeover

4.2 In-Scope Vulnerabilities — High Impact

• Server-Side Request Forgery (SSRF)
• Insecure Direct Object References (IDOR) with significant data exposure
• Cross-Site Request Forgery (CSRF) with critical impact
• XML External Entity (XXE) injection
• Business logic flaws with financial impact

4.3 In-Scope Vulnerabilities — Medium/Low Impact

• XSS without account takeover
• Information disclosure of sensitive data
• Insecure file upload vulnerabilities
• API rate limiting bypasses
• Security misconfigurations
• Missing security headers on critical endpoints

4.4 Out-of-Scope

• Theoretical vulnerabilities without proof of concept
• Social engineering attacks
• Denial of Service (DoS/DDoS)
• Automated scanning without manual verification
• Testing against production systems with real user data
• Self-XSS or issues requiring unlikely user interaction

5. Response Timelines

6. Bounty Rewards

6.1 Reward Structure

6.2 Bonus Multipliers

• First Report: 1.5x for first valid report of a vulnerability class
• Quality Report: 1.25x for exceptionally detailed reports
• Fix Suggestion: 1.1x for reports with working fix suggestions

6.3 Payment Methods

• Bank Transfer (ACH/Wire)
• PayPal
• Cryptocurrency (BTC, ETH)
• Charitable Donation (in your name)

6.4 Eligibility Requirements

• Be the first to report the vulnerability
• Not be a current or former Milenial employee
• Not be a resident of a country under U.S. sanctions
• Comply with all terms of this policy

7. Recognition & Acknowledgment

Researchers who submit valid vulnerabilities may be listed on our Security Hall of Fame with their name or handle (as preferred) and severity levels contributed. Anonymous submissions accepted.

8. Contact

Security Team: security@milenialinc.com