Mindbody Responsible Disclosure

Date last modified: April 15, 2020

Mindbody strongly believes in protecting the data and the privacy of our customers, and believes that collaboration with the security community is an important part of that. If you believe that you’ve discovered a security issue, please report it through the form below.

When reporting security issues, we ask that you do not publish any details regarding the reported vulnerability. Mindbody will not seek judicial or law enforcement remedies against you for identifying security issues, as long as you follow the policies set forth here. Please test using only account(s) that you own or that you have permission from the owner to target. Do not gather unnecessary sensitive data and please destroy all data you have gathered once the finding has been remediated or upon request.

In Scope

Security issues we are primarily interested in are:

• Any security issue which can expose sensitive or personal data
• Injection
• Authentication and Session management related security issues
• XSS
• CSRF on sensitive actions

Out of Scope

Please avoid testing any of the following:

• Performing actions that may negatively affect Mindbody or its users (e.g. Spam, Brute Force, Denial of Service…)
• Security issues due to out of date client software (e.g. old browsers)
• Phishing or social engineering of Mindbody employees or contractors
• Disclosure of well known public files
• Configuration of Security Headers
• Third party systems that Mindbody might rely on, but are not owned by Mindbody

Vulnerability Rewards

Mindbody is not currently providing monetary rewards for findings.

Report a Vulnerability

To report an issue you've discovered, please email [email protected].