MINDBODY Responsible Disclosure
Date last modified: August 5, 2019
MINDBODY strongly believes in protecting the data and the privacy of our customers, and believes that collaboration with the security community is an important part of that. If you believe that you’ve discovered a security issue, please report it through the form below. MINDBODY partners with Bugcrowd for the initial engagement and triage of reported security issues.
When reporting security issues, we ask that you do not publish any details regarding the reported vulnerability. MINDBODY will not seek judicial or law enforcement remedies against you for identifying security issues, as long as you follow the policies set forth here, as well as the Bugcrowd’s Standard Disclosure Terms. Please test using only account(s) that you own or that you have permission from the owner to target. Do not gather unnecessary sensitive data and please destroy all data you have gathered once the finding has been remediated or upon request.
Security issues we are primarily interested in are:
- Any security issue which can expose sensitive or personal data
- Authentication and Session management related security issues
- CSRF on sensitive actions
Out of Scope
Please avoid testing any of the following:
- Performing actions that may negatively affect MINDBODY or its users (e.g. Spam, Brute Force, Denial of Service…)
- Security issues due to out of date client software (e.g. old browsers)
- Phishing or social engineering of MINDBODY employees or contractors
- Disclosure of well known public files
- Configuration of Security Headers
- Third party systems that MINDBODY might rely on, but are not owned by MINDBODY
MINDBODY is not currently providing monetary rewards for findings. If you are a Bugcrowd researcher, verified security issues will be rewarded with Kudos on the Bugcrowd platform.