Report a Vulnerability

At Mine, we believe in protecting our users' privacy and security.

If you believe you’ve discovered a bug in Mine’s security, please email us at support@saymine.com. We will respond as quickly as possible. We request that you not publicly disclose the issue until it has been addressed by Mine’s security team.

For submission guidelines see: OWASP Vulnerability Disclosure Cheat Sheet

Reward & Submission

We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a reward program for responsibly disclosed vulnerabilities. Mine rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as by bypassing our login process, injecting code into another user’s session, or accessing another user’s private data).

A minimum reward of $100 USD may be provided for the disclosure of qualifying reports. At our discretion, we may increase the reward amount based on the severity of the report. If you report a vulnerability that does not qualify under the above criteria, we may still provide a non-monetary reward in the form of Mine merchandise if your report causes us to take specific action to improve our security posture.

We ask that you use common sense when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts, or loss of funds that are not your own. We do not reward denial of service, spam, or social engineering vulnerabilities. 

As with most security reward programs, there are some restrictions:

  • We will only reward the first person to responsibly disclose a bug to us
  • Any bugs that are publicly disclosed without providing us a reasonable time to respond will not be rewarded
  • Whether to reward the disclosure of a bug and the amount of the reward is entirely at our discretion, and we may cancel the program at any time
  • Your testing must not violate any laws
  • We can’t provide you a reward if it would be illegal for us to do so

In Scope

  • Only test against the Mine web application and the Mine API domains: saymineapp.com, api.saymineapp.com, portal.saymine.com, api.portal.saymine.com. All other domains are out of scope.
  • You can sign up for Mine at https://saymine.com
  • Only test against accounts you have created.
  • Limit your use of scanner tests based on our technology stack: Angular & .net core.

Out of Scope

  • Reports not pertaining to the domains in scope.
  • Presence or absence of DMARC/SPF/other DNS records.
  • Denial of service attacks.
  • Lack of rate limiting.
  • Brute force attacks.
  • Self inflicted attacks.

Self inflicted attacks: this includes any report that requires privileged access to a Mine account to execute, or any report where an attacker must first compromise a Mine user account in order to deliver their payload. These reports are denied as out of scope unless they have an accompanying PoC demonstrating how an external attacker could first compromise the user account remotely.

This doesn’t include privilege escalation reports where a user with limited permission can perform actions beyond their privilege level by way of an exploit. 

Third Parties

Mine uses a number of third-party providers and services. Our vulnerability program does not give you permission to perform security testing on their systems.