Security Acknowledgements

–

Responsible Disclosure Policy

At Mynd Group Limited (“Mynd Group”, “we”, “us”, “our”), we are committed to ensuring the security and privacy of our users’ data. We appreciate the valuable role that security researchers play in identifying potential weaknesses or vulnerabilities and helping us maintain a secure platform. This policy outlines our guidelines for responsible disclosure of security vulnerabilities.

Purpose

We recommend that you read this Responsible Disclosure Policy (the “Responsible Disclosure Policy”) before you report any vulnerabilities to us. This will help to make sure that you understand the Responsible Disclosure Policy, and act in compliance with it.

This Responsible Disclosure Policy documents how Mynd Group accepts, verifies, and responds to vulnerability reports. It provides a structured and systematic approach for handling internally and externally reported vulnerabilities that affect Mynd Group’s products, services, and infrastructure.

Specifically, Mynd Group intends for this Responsible Disclosure Policy to:

• Define Mynd Group’s vulnerability handling process and provide step-by-step guidelines for establishing a timely, consistent, and repeatable vulnerability response and handling process
• Mitigate or minimise the effects of verified vulnerabilities on Mynd Group, its products, services, infrastructure, its users, and others
• Help Mynd Group track and document the actions it takes to handle vulnerability reports

Upon discovering any vulnerability, you agree not to disclose vulnerability details to the public or any third party other than Mynd Group without the express written permission of Mynd Group.

Scope

This Responsible Disclosure Policy applies to all Mynd Group’s products, services, and infrastructure, including:

• Our music streaming platform accessed via play.myndstream.com
• Our public-facing websites and APIs accessed via app.myndstream.com, play.myndstream.com and myndstream.com
• Our backend systems and databases

Guidelines for Researchers

Authorised Activities:

• Conducting security research on our publicly accessible systems
• Reporting vulnerabilities through our designated channels
• Providing detailed information to help us reproduce and fix issues

Prohibited Activities:

• Intentionally accessing data belonging to other users
  • If you suspect that a vulnerability or service provides access to other users’ data, limit queries to your own users and accounts
  • If you access any data belonging to other users, report the vulnerability immediately and do not attempt to access any other data. We will assess the scope and impact of the user data exposure
  • You must delete all your local, stored, or cached copies of data containing user data as soon as possible (and in any event no later than 30 days after the date on which the vulnerability is resolved). We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed
• Modifying, or deleting data belonging to other users
• Putting exposed data at risk
• Conducting denial of service (DoS) or distributed denial of service (DDoS) attacks or degrading our services
• Spamming content or activity on our services
• Using large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic
• Attempting social engineering or “phishing” attacks on our employees or users
• Exploiting vulnerabilities beyond what is necessary for proof-of-concept
• Conducting brute-force attacks
• Publicising vulnerabilities relating to Mynd Group, our platforms or our websites via third party websites or platforms
• Acting in breach of any applicable laws or regulations
• Demanding financial compensation before disclosing any vulnerabilities

Reporting Process

To report a vulnerability, please ensure your report complies with the following steps:

1. Send an encrypted email to [email protected] 
2. Include a detailed description of the vulnerability in the English language, including:
   1. Brief summary of the type of vulnerability
   2. Written steps to reproduce the vulnerability
   3. Potential impact including an explanation of the risks that the vulnerability presents
   4. Recommended actions for remediation and risk mitigation
   5. Any proof-of-concept code or screenshots

On our satisfactory receipt of a report as detailed above, we will endeavour to acknowledge receipt of your report within five business days or such time as we reasonably determine in our discretion. During the submission of your report, you acknowledge and agree to maintain confidentiality until we have addressed the issue. In the event that Mynd Group does not receive a report that strictly complies with the steps above, we reserve our right not to respond to your report.

Our Commitment

Subject to full compliance with our reporting process, we shall use reasonable endeavours to:

• Acknowledge your initial report within five business days of our receipt
• Communicate whether we will further investigate the potential issue or relay to you that the report duplicates an already known issue that we are currently reviewing or has been separately reported to us
• Provide updates on the status of the reported vulnerability at reasonable times as solely determined by us
• Validate and address confirmed vulnerabilities
• Notify you within a reasonable timeframe when the issue has been resolved
• Acknowledge your contribution after the vulnerability is fixed

Mynd Group is not able to offer financial compensation to security researchers in return for the reporting of vulnerabilities and shall be under no obligation to do so.

Safe Harbor

We will not pursue legal action against researchers who:

• Strictly comply with the Responsible Disclosure Policy
• Make good faith and all reasonable efforts to avoid privacy violations, data destruction, and service interruption
• Refrain from exploiting vulnerabilities beyond necessary proof-of-concept

Disclosure Timeline

We will use reasonable endeavours to meet the timelines as follows:

Day 0: Vulnerability reported

Day 5: Acknowledgment sent to researcher

Day 30: Target date for vulnerability resolution

Day 90: Acknowledgement of your contribution (if agreed upon with the researcher and at our sole discretion)

Out of Scope

The following are not considered valid vulnerabilities under the Responsible Disclosure Policy:

• Descriptive error messages
• HTTP headers without sensitive data
• Lack of SSL/TLS for non-sensitive pages or SSL/TLS protocol scans that report specific vulnerable protocol versions or handshakes
• Vulnerabilities only affecting users with outdated or unsupported browsers or platforms
• Vulnerabilities not involving product or technical flaws, but solely relying upon possession of stolen or compromised credentials or by enumeration with pre-defined and known list of UUIDs
• Vulnerabilities that rely on the use non-production environments e.g. staging, testing or development environments
• Most enumeration attacks, e.g. coupon code enumeration, user or account ID enumeration
• Vulnerabilities that do not exploit a different user to the current one that is authenticated with the service (e.g. self-XSS)
• Reports indicating that our products, services, and infrastructure do not fully align with “best practice”

Recognition

We appreciate the efforts of security researchers and, with their permission, we may in our sole discretion acknowledge their contributions on our security acknowledgments page (https://myndstream.com/responsible-disclosure-policy/) and that the reported vulnerability has been resolved.

By participating in our responsible disclosure program, you agree to comply with the Responsible Disclosure Policy. We reserve the right to modify these terms as necessary from time to time without notice to you, and the most current version will always be available on our website.

Thank you for helping us maintain a secure platform for our users and partners.