Vulnerability Disclosure Policy

This policy is intended to minimize the impact of security flaws on our users.

Promise

Mailyard’s core proposition rests not just on our inability to gain access to your data and encryption keys, but also our inability to identify our users. We thus emphasize pursuing a larger-than-usual scope for vulnerability disclosure to protect your privacy.

We are committed to resolve vulnerabilities within 60 calendar days, and to disclose its details upon doing so. If no resolution can be found within this time period, we will at our discretion release details of the vulnerability based on our assessment of its risks upon disclosure.

Scope

All Mailyard products are in scope for reporting, which currently includes:

  1. The mailyard website, located at https://www.mailyard.io/
  2. The client-side web application, located at https://app.mailyard.io

This list will be updated as per necessary and is non-exhaustive; we will consider any vulnerability that affects our core proposition as in scope, and deal with any reports as per the process outlined in this policy.

Safe Harbour

Vulnerabilities that you report in accordance with our policy helps us ensure that security matters are dealt with in the safest possible way with respect to our core proposition. We want security researchers and the general public to feel comfortable in coming forward with vulnerability reports, and ask that you that you follow these guidelines:

  1. Avoid any action that result in privacy violations, disruption to the Mailyard service, or the destruction or manipulation of data.
  2. Refrain from disclosing your discovered vulnerabilities for up to 60 calendar days after you have notified us.

If you are acting in good faith, these guidelines will keep you safe against legal implications. Your communication with us will be kept in strict confidence, and we will not publish them, or information about you without permission.

Process

You may send in your reports via our email at [email protected], you may encrypt sensitive information with our public key, available at https://www.mailyard.io/public-key.txt.

In your report, please include:

  1. Description of the location and potential impact of the vulnerability.
  2. Steps required to reproduce the vulnerability, any sample code, and/or screenshots, will be helpful.

We may ask for further information from you via this channel if necessary, and you may also aprise us for new information if any.

More on Security


Understand the risks that Mailyard guards against

Threat Model

Where we stand on security

Compliance & Certification Status
Sqreen | Runtime Application Protection
Mailyard, by Tinkerbox Studios Pte Ltd © 2019