This policy is intended to minimize the impact of security flaws on our users.
Mailyard’s core proposition rests not just on our inability to gain access to your data and encryption keys, but also our inability to identify our users. We thus emphasize pursuing a larger-than-usual scope for vulnerability disclosure to protect your privacy.
We are committed to resolve vulnerabilities within 60 calendar days, and to disclose its details upon doing so. If no resolution can be found within this time period, we will at our discretion release details of the vulnerability based on our assessment of its risks upon disclosure.
All Mailyard products are in scope for reporting, which currently includes:
This list will be updated as per necessary and is non-exhaustive; we will consider any vulnerability that affects our core proposition as in scope, and deal with any reports as per the process outlined in this policy.
Vulnerabilities that you report in accordance with our policy helps us ensure that security matters are dealt with in the safest possible way with respect to our core proposition. We want security researchers and the general public to feel comfortable in coming forward with vulnerability reports, and ask that you that you follow these guidelines:
If you are acting in good faith, these guidelines will keep you safe against legal implications. Your communication with us will be kept in strict confidence, and we will not publish them, or information about you without permission.
You may send in your reports via our email at [email protected], you may encrypt sensitive information with our public key, available at https://www.mailyard.io/public-key.txt.
In your report, please include:
We may ask for further information from you via this channel if necessary, and you may also aprise us for new information if any.
Understand the risks that Mailyard guards against
Threat ModelWhere we stand on security
Compliance & Certification Status