Responsible Vulnerability Disclosure

Policy

At Mindtickle, we are committed to protecting the privacy and security of the data our customers have entrusted to us. We have implemented numerous measures to secure our infrastructure and the platform.

Despite the measures, due to evolving nature of the technology landscape, it is always possible that we are affected by new vulnerabilities. We acknowledge the importance of time spent and valuable assistance provided by independent security researchers to make our web experience more secure.

We are promoting a culture of responsible disclosure of vulnerabilities that affects the security and privacy of our platform and its users.

Scope

The sites, applications, and APIs covered in this policy are listed below.

• Platform admin site – admin.mindtickle.com
• Platform learning sites – <name>.mindtickle.com
• Other platform pages – *.mindtickle.com
• Open API – api.mindtickle.com
• iOS mobile application
• Android mobile application

Exclusions

We have carefully chosen the exclusions to prioritize our remediation efforts on the vulnerability that can be exploited and directly impact our platform hosting customer data. We request you not to report any vulnerabilities that only focus on the enumeration and information gathering and have no potential to penetrate our systems. Anything not declared in the scope above is considered out of scope.

The below list covers the exclusions –

• Denial of Service (DoS) / Distributed Denial of Service (DDoS)
• Cross-origin resource sharing (CORS)
  
• WordPress XML-RPC.php
• Server-side request forgery (SSRF)
  
• Brute force attack on any of the pages
• Session timeout since it is configured at a customer level
• Uploading masqueraded file by changing the extension
• Ability to upload/down viruses or malicious files to the platform
• Rate limiting restrictions imposed by the platform or API
• Missing captcha on the pages
• Ability to accept web browser ‘autocomplete’ or ‘saved passwords’ functionality
• Known third party library vulnerabilities that cannot be exploited on the platform
• Missing HTTP security headers that do not pose any security threats
• Missing Secure, HTTPOnly flags on cookies that do not hold any confidential or authentication information
• Learning site settings enumeration containing non-sensitive information
• Fingerprinting, host header, and banner grabbing issues
• Descriptive error messages (e.g., stack traces, application error messages, server HTTP response)
• Information gathered through social engineering (e.g., phishing, vishing)
• Physical security of the Mindtickle offices or employee working environment
• Conducting any kind of physical or electronic attack on Mindtickle personnel or property

Guidelines

We encourage the efforts spent by security researchers to identify legitimate vulnerabilities. To make this process smooth, we have defined a set of guidelines that help us differentiate malicious intent from the genuine discovery that helps us make our platform safer.

• Sending automated reports generated by tools and scanners is prohibited.
• Seek consent from your organization before using any company-provided user accounts for performing any testing or research activity.
• Do not attempt to gain access to another user’s account.
• Performing social engineering or sending unsolicited messages such as spam, phishing, etc., is not allowed.
• Do not violate any laws or regulations by compromising any other data that is not your own; use test data.
• Avoid any activity that violates user privacy, disrupts the platform, destructs or modifies the data, exfiltrates unnecessary confidential information, or degrades the application performance.
• Do not disclose any information about discovered vulnerabilities unless authorized by Mindtickle. Only use the approved process defined in the below section to send vulnerability reports to Mindtickle.
• Immediately report if you inadvertently encounter any customer or personal information. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability.
• Do not validate or make use of any sensitive customer or personal information you may have encountered during your research and testing.
• Although we encourage responsible vulnerability disclosure, the specific bug bounty awards offered for the vulnerabilities are at the discretion of Mindtickle.
• Bug bounty awards would be considered only in cases of critical/high impact vulnerabilities that can penetrate our systems affecting platform availability or customer data.
• We withhold the right to grant, modify or deny grants. In such cases, the reporter would be responsible for the tax implications of payouts.

Disclosure Process

If you have found any in scope security or privacy vulnerability and adhere to the exclusions and guidelines, please report it to us promptly by emailing it to the Mindtickle security team at [email protected]. We ask that you do not share any of the details of the identified vulnerability publicly or with anyone else apart from the Mindtickle security team.

Include the following details with your report:

• Name of the reporter
• Email address where we can contact you
• The scoped site, application, or API impacted
• The potential impact of the vulnerability on the systems or data
• Steps to reproduce the vulnerability (please include screenshots, videos, scripts, commands, etc.)
• Any specific information that will help us remediate the vulnerability faster.

We will get back to you as soon as possible and keep you updated on the progress of the vulnerability remediation activity.

Safe Harbor

If you comply with this policy while reporting the vulnerability, we will safeguard you against any legal action under Computer Fraud and Abuse Act (CFAA) or Digital Millennium Copyright Act (DMCA).