Skip to content Mpalo Logo Spiral

Responsible Disclosure

Memory infrastructure handles intimate data. Security vulnerabilities here carry real consequences for real people. If you find one, tell us directly.

Security at Mpalo

Palo Bloom processes episodic memory -- personal, sequential, contextual. That means the data flowing through our infrastructure is meaningful to the people it belongs to. We hold it carefully, and we want to know immediately when something in our systems could put it at risk.

If you find a vulnerability in any Mpalo-owned system or service, report it directly. We investigate every legitimate report and keep you informed throughout the process.

Scope

In Scope

  • + mpalo.com and all subdomains
  • + Mind Platform platform (mind.mpalo.com)
  • + Mpalo API endpoints
  • + Mobile applications
  • + Security vulnerabilities in our services

Out of Scope

  • + Third-party services we use
  • + Social engineering attacks
  • + Physical attacks against our offices
  • + Denial of Service (DoS/DDoS) attacks
  • + Spam or content injection

How to Report

Email

Send detailed reports to our security team:

security@mpalo.com

What to Include

  • + Vulnerability type and impact assessment
  • + Step-by-step reproduction instructions
  • + Screenshots or proof-of-concept code
  • + Affected systems and URLs
  • + Browser and version (if applicable)
  • + Your contact information for follow-up
  • + CVE information (if available)
  • + Suggested remediation (if you have ideas)

Our Response Process

1

Acknowledgment

We'll acknowledge receipt of your report within 24 hours and provide a tracking ID.

2

Investigation

Our security team will investigate and validate the report within 5 business days.

3

Resolution

We'll work to resolve confirmed issues and keep you updated on our progress.

4

Disclosure

After resolution, we'll coordinate responsible disclosure timing with you.

Guidelines

Please Do

  • + Report the vulnerability as soon as possible
  • + Provide detailed reproduction steps
  • + Keep the vulnerability confidential
  • + Use the provided communication channels
  • + Be patient during our investigation

Please Don't

  • + Access, modify, or delete user data
  • + Perform DoS/DDoS attacks
  • + Publicly disclose before coordination
  • + Violate privacy of other users
  • + Use social engineering tactics

Legal Safe Harbor

Mpalo supports safe harbor for security researchers who:

  • + Make a good faith effort to avoid privacy violations, disruption, and data destruction
  • + Only interact with accounts they own or have explicit permission to access
  • + Do not access sensitive data or user information
  • + Follow responsible disclosure practices

We will not pursue legal action against researchers who follow these guidelines and work with us to resolve security issues.

Recognition

We're grateful for the security community's work. For confirmed, meaningful vulnerabilities:

  • + Public acknowledgment in our security advisories, with your permission
  • + Direct communication with the Mpalo security team throughout resolution

Questions?

If you have questions about our responsible disclosure process or need clarification on our security policies, don't hesitate to reach out.

Contact Security Team General Support