Skip to content Mpalo Logo Spiral

Responsible Disclosure

Help us maintain the security and integrity of Mpalo's platform. Report vulnerabilities responsibly and contribute to a safer AI ecosystem.

Security at Mpalo

At Mpalo, we take security seriously. We appreciate the security research community's efforts to help us maintain the safety and security of our platform, APIs, and services.

If you believe you have found a security vulnerability in any Mpalo-owned system or service, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Scope

In Scope

  • + mpalo.com and all subdomains
  • + Workbench platform (workbench.mpalo.com)
  • + Mpalo API endpoints
  • + Mobile applications
  • + Security vulnerabilities in our services

Out of Scope

  • + Third-party services we use
  • + Social engineering attacks
  • + Physical attacks against our offices
  • + Denial of Service (DoS/DDoS) attacks
  • + Spam or content injection

How to Report

Email

Send detailed reports to our security team:

security@mpalo.com

Encrypted

For sensitive reports, use our PGP key:

Key ID: 0x1234567890ABCDEF
Fingerprint: 1234 5678 90AB CDEF

What to Include

  • + Vulnerability type and impact assessment
  • + Step-by-step reproduction instructions
  • + Screenshots or proof-of-concept code
  • + Affected systems and URLs
  • + Browser and version (if applicable)
  • + Your contact information for follow-up
  • + CVE information (if available)
  • + Suggested remediation (if you have ideas)

Our Response Process

1

Acknowledgment

We'll acknowledge receipt of your report within 24 hours and provide a tracking ID.

2

Investigation

Our security team will investigate and validate the report within 5 business days.

3

Resolution

We'll work to resolve confirmed issues and keep you updated on our progress.

4

Disclosure

After resolution, we'll coordinate responsible disclosure timing with you.

Guidelines

Please Do

  • + Report the vulnerability as soon as possible
  • + Provide detailed reproduction steps
  • + Keep the vulnerability confidential
  • + Use the provided communication channels
  • + Be patient during our investigation

Please Don't

  • + Access, modify, or delete user data
  • + Perform DoS/DDoS attacks
  • + Publicly disclose before coordination
  • + Violate privacy of other users
  • + Use social engineering tactics

Legal Safe Harbor

Mpalo supports safe harbor for security researchers who:

  • + Make a good faith effort to avoid privacy violations, disruption, and data destruction
  • + Only interact with accounts they own or have explicit permission to access
  • + Do not access sensitive data or user information
  • + Follow responsible disclosure practices

We will not pursue legal action against researchers who follow these guidelines and work with us to resolve security issues.

Recognition

We're grateful for the security community's contributions. Depending on the severity and impact of the vulnerability:

  • + Public acknowledgment in our security advisories (with your permission)
  • + Recognition on our security researchers page
  • + Mpalo swag and merchandise
  • + Direct communication with our security team

Questions?

If you have questions about our responsible disclosure process or need clarification on our security policies, don't hesitate to reach out.

Contact Security Team General Support