Security

Our Commitment to Security

At Minapin, security is fundamental to everything we build and operate. We invest in strong security practices across our infrastructure, applications, and processes to protect the data entrusted to us by our clients and visitors. We continuously evaluate and improve our security posture to stay ahead of emerging threats.

We believe that working with skilled security researchers and the broader community is an important part of maintaining a secure environment. We welcome and appreciate responsible disclosure of any vulnerabilities that may be found in our systems.

Responsible Disclosure Policy

If you believe you have discovered a security vulnerability in our website or any of our systems, we encourage you to report it to us responsibly. We are committed to working with security researchers to verify and address potential vulnerabilities in a timely manner.

We ask that you:

• Make a good-faith effort to avoid privacy violations, data destruction, and disruption of service during your research.
• Provide us with a reasonable amount of time to resolve the issue before disclosing it publicly.
• Do not access, modify, or delete data belonging to other users.
• Do not perform testing that could degrade or disrupt our services for other users.
• Only interact with accounts you own or with explicit permission from the account holder.

What to Report

We are interested in hearing about vulnerabilities that could compromise the security, integrity, or availability of our systems, including but not limited to:

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• SQL injection
• Authentication or authorization flaws
• Server-side request forgery (SSRF)
• Remote code execution
• Sensitive data exposure
• Security misconfigurations that could be exploited

How to Report

Please send your vulnerability report to:

Email: security@minapin.com

In your report, please include:

• A clear description of the vulnerability and its potential impact.
• Detailed steps to reproduce the issue, including any URLs, parameters, or payloads used.
• Screenshots or proof-of-concept code, if applicable.
• Your contact information so we can follow up with questions or updates.

Please encrypt sensitive reports using our PGP key if available, or clearly mark the email as confidential.

What We Promise

When you report a vulnerability in good faith, you can expect the following from us:

• Acknowledgment within 48 hours: We will confirm receipt of your report within two business days.
• Assessment and communication: We will investigate the report promptly and keep you informed of our progress.
• No legal action: We will not pursue legal action against security researchers who discover and report vulnerabilities responsibly, in accordance with this policy.
• Credit: With your permission, we are happy to acknowledge your contribution once the vulnerability has been resolved.
• Timely resolution: We will work to remediate confirmed vulnerabilities as quickly as possible, prioritizing based on severity and impact.

Out of Scope

The following types of findings are generally considered out of scope for our responsible disclosure program:

• Denial of service (DoS/DDoS) attacks or any form of resource exhaustion testing.
• Social engineering attacks (e.g., phishing) against our employees, contractors, or users.
• Physical security testing of our offices or data centers.
• Automated vulnerability scanning that generates excessive traffic or disrupts service.
• Reports of missing security headers that do not demonstrate a concrete exploit or vulnerability.
• Clickjacking on pages with no sensitive actions.
• Reports from automated tools without manual verification or proof of exploitability.
• Software version disclosure without a demonstrated vulnerability.

We reserve the right to update this policy at any time. If you are unsure whether your research falls within scope, please contact us before testing.