Responsible Disclosure Policy

Last updated: April 4, 2026

1. Introduction

MINDMOD LLC ("MINDMOD," "we," "us," or "our") values the security of our users and systems. We welcome and encourage security researchers to help us identify vulnerabilities in the Ask Anthony web application and related infrastructure. This Responsible Disclosure Policy outlines how to report security vulnerabilities and what you can expect from us in return.

2. Scope

This policy applies to security vulnerabilities found in:

The Ask Anthony web application and all associated subdomains
The Ask Anthony API endpoints
The Ask Anthony admin panel
Related infrastructure and services directly operated by MINDMOD LLC

3. Out of Scope

The following types of issues are not covered by this policy:

Social engineering attacks (e.g., phishing, pretexting) against MINDMOD employees or users
Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
Spam, bulk messaging, or email bombing
Email spoofing (SPF, DKIM, DMARC configuration issues)
Physical attacks against MINDMOD offices or infrastructure
Vulnerabilities in third-party services we use (Supabase, Anthropic, ElevenLabs, Cloudflare, Railway, Termly) — please report these to the respective providers
Clickjacking on pages with no sensitive actions
Missing HTTP security headers that do not lead to a demonstrable exploit
Software version disclosure without a demonstrated vulnerability
Vulnerabilities requiring physical access to a user's device
Issues related to outdated browsers or plugins

4. Our Commitments

When you report a vulnerability in good faith and in accordance with this policy, we commit to:

Acknowledge receipt of your report within 3 business days;
Provide regular updates on the status of your report and our remediation efforts;
Remediate confirmed vulnerabilities in a timely manner, prioritized by severity;
Not pursue legal action against you for security research conducted in compliance with this policy (see Safe Harbor below);
Credit you (if desired) in any public disclosure of the vulnerability, with your permission.

5. Our Expectations

We ask that security researchers:

Act in good faith and with the intent to improve security;
Do not access, modify, or delete data belonging to other users;
Use only accounts you own or have explicit permission to test with;
Minimize disruption — do not degrade the performance or availability of the Service;
Do not exploit a vulnerability beyond what is necessary to demonstrate its existence;
Provide a reasonable amount of time (at least 90 days) for us to address the vulnerability before any public disclosure;
Do not publicly disclose the vulnerability until we have had adequate time to remediate and have given consent;
Include sufficient detail in your report for us to reproduce and verify the vulnerability;
Do not use automated scanning tools in an aggressive manner that could impact service availability;
Comply with all applicable laws and regulations.

6. How to Report a Vulnerability

Email: security@mindmod.com

Please include the following in your report:

A detailed description of the vulnerability
Steps to reproduce the issue
The potential impact of the vulnerability
Any proof-of-concept code or screenshots
Your contact information (email) for follow-up
Whether you would like to be publicly credited

Please encrypt sensitive reports if possible. You may request our PGP public key by emailing security@mindmod.com with the subject line "PGP Key Request."

7. Safe Harbor

MINDMOD considers security research conducted in accordance with this policy to be:

Authorized in compliance with the Computer Fraud and Abuse Act (CFAA) and similar state laws;
Authorized in compliance with the Digital Millennium Copyright Act (DMCA);
Exempt from restrictions in our Terms of Service that would otherwise prohibit the security research activities described here;
Conducted in good faith and for the benefit of the security community.

We will not initiate or support legal action against you for accidental, good-faith violations of this policy. We consider activities conducted consistent with this policy to constitute "authorized" conduct under the CFAA.

8. Response Timeline

Acknowledgment: Within 3 business days of receipt
Initial assessment: Within 10 business days
Remediation: Based on severity — critical (7 days), high (30 days), medium (60 days), low (90 days)
Public disclosure: Coordinated with the reporter, typically 90 days after the initial report

9. Changes to This Policy

MINDMOD reserves the right to modify this Responsible Disclosure Policy at any time. Changes will be reflected with an updated revision date at the top of this page.

10. Contact

For security-related inquiries:

MINDMOD LLC
Security Team: security@mindmod.com
General Support: support@mindmod.com