At Mindvalley, we believe that collaboration with the security community makes the internet safer for everyone. We welcome responsible disclosure of vulnerabilities that may impact the confidentiality, integrity, or availability of our systems or the data of our users. This policy outlines how to report potential security issues to us, what you can expect in return, and how we work with you to address them.
This policy applies to all digital assets that are owned, operated, or maintained by Mindvalley, including but not limited to:
*.mindvalley.com
*.mvstg.com
*.mindvalley.dev
*.mindvalley.tech
*.mindvalley.team
*-api.mindvalley.com
If you're unsure whether a system is in scope, please ask before you begin testing. Subdomains not listed above may still be in scope if they are clearly operated by Mindvalley. When in doubt, contact us.
The following activities are either illegal, pose a risk to user privacy, or lack actionable security value. Engaging in them could result in disqualification from recognition and possible legal escalation:
Any third-party platforms or services not owned or managed by Mindvalley
Social engineering, phishing, or physical security attacks
Denial-of-Service (DoS/DDoS) attacks or resource exhaustion testing
Spam or brute-force attacks not tied to a specific vulnerability
Clickjacking or the presence of SPF/DMARC/DKIM configurations without specific exploitability
Please report any third-party vulnerabilities to the appropriate vendor or authority.
If you act in good faith and adhere to this policy, we commit to:
Timely Response – Acknowledge receipt of your report within 5 business days
Collaborative Investigation – Work with you to understand, validate, and remediate the issue
Transparency – Keep you informed on the progress of our mitigation efforts
Respect & Recognition – With your consent, recognize your contribution publicly.
Safe Harbor – We will not pursue legal action for security research conducted in accordance with this policy
We expect the following from researchers participating in this program:
Act in Good Faith – Do not exploit vulnerabilities or access data beyond what's necessary for proof of concept
Stay Within Scope – Avoid testing systems not explicitly covered by this policy
Respect Legal Boundaries – Do not engage in any testing that violates local or international law, or that affects users or systems not under our control.
Minimize Impact – Do not degrade, disrupt, or compromise the availability of our services
Avoid Data Breaches – If you encounter sensitive data (e.g., PII, PHI, financial info), stop testing and report immediately
Use Official Channels – Submit all reports to security@mindvalley.com or through this Airtable form
Allow Reasonable Time – Give us a fair opportunity to address the issue before disclosing it publicly
Please submit your reports via security@mindvalley.com or through our Vulnerability Disclosure Form test.
Include the following details:
A detailed summary of the issue
Affected domain or asset
Steps to reproduce the vulnerability
Any supporting materials (e.g., screenshots, logs, proof-of-concept code)
Your contact information
