Vulnerability Disclosure Policy

Likemymind America Inc (d/b/a Findmino) — Effective March 2026

We take the security of our platform and the protection of student data seriously. We welcome and appreciate responsible disclosure of security vulnerabilities from security researchers and the public. This policy describes how to report vulnerabilities, what to expect from us, and our commitment to not pursue legal action against good-faith reporters.

Scope

This policy applies to all Findmino products and services, including:

  • The Findmino web application (findmino.com)
  • Findmino API endpoints (api.findmino.com)
  • Associated subdomains and infrastructure

How to Report a Vulnerability

Please report vulnerabilities by email to:

info@findmino.com

Please include the following in your report:

  • - A description of the vulnerability and its potential impact
  • - Step-by-step instructions to reproduce the issue
  • - The affected URL, endpoint, or component
  • - Any relevant screenshots or proof-of-concept code
  • - Your contact information for follow-up

What to Expect

Acknowledgment within 3 business days

We will confirm receipt of your report and provide a tracking reference.

Initial assessment within 10 business days

We will evaluate the report, confirm the vulnerability, and communicate the severity and expected timeline for a fix.

Remediation and disclosure

We aim to resolve critical vulnerabilities within 30 days. We will coordinate with you on public disclosure timing in line with responsible disclosure best practices.

Safe Harbor

We will not pursue legal action against anyone who:

  • Makes a good-faith effort to comply with this policy
  • Reports vulnerabilities directly to us before public disclosure
  • Avoids actions that could harm our users, disrupt our services, or destroy data
  • Does not access, modify, or delete student data or personally identifiable information

Activities conducted in accordance with this policy will be considered authorized. We will not initiate legal action against researchers who discover and report vulnerabilities in good faith.

Guidelines for Researchers

Please do

  • - Test only against your own accounts
  • - Stop testing if you access another user's data
  • - Report findings promptly
  • - Provide sufficient detail to reproduce the issue
  • - Allow reasonable time for remediation before disclosure

Please do not

  • - Access or modify student data
  • - Perform denial of service attacks
  • - Send unsolicited messages to users
  • - Use social engineering against our staff
  • - Test against production school accounts

Qualifying Vulnerabilities

We are particularly interested in:

  • - Authentication or authorization bypasses
  • - Cross-site scripting (XSS) or injection vulnerabilities
  • - Insecure direct object references (IDOR)
  • - Server-side request forgery (SSRF)
  • - Sensitive data exposure
  • - Privilege escalation
  • - API security issues

Out of Scope

The following reports will not be eligible for acknowledgment or a detailed response. We may not reply to reports limited to these issues:

  • - Automated SSL/TLS scanner output (Qualys SSL Labs, testssl.sh, nmap ssl-enum-ciphers, sslscan) without a working exploit demonstrating actual impact
  • - Missing or weak HTTP security headers without a demonstrated attack vector
  • - Reports about TLS 1.0/1.1 support, weak cipher suites, or HSTS configuration (these are CDN-level decisions, handled separately)
  • - Self-XSS, clickjacking on pages without sensitive state-changing actions, tab-nabbing
  • - Denial-of-service attacks (volumetric, application-layer, regex, or otherwise)
  • - Rate-limiting or brute-force on non-authentication endpoints
  • - Vulnerabilities in third-party services we depend on (Cloudflare, Stripe, Auth0, Clever, ClassLink, MongoDB Atlas) — please report those directly to the upstream vendor
  • - Social engineering of Findmino employees, contractors, or partner-district staff
  • - Reports generated by AI tools without independent reproduction and verification
  • - Vulnerabilities requiring a compromised end-user device, rooted phone, or malicious browser extension
  • - Outdated library versions without a demonstrated exploit path
  • - UI bugs, typos, or accessibility issues (please use info@findmino.com instead)

Security Hall of Fame

We publicly acknowledge security researchers whose reports meet the criteria above and result in a confirmed fix. With your written consent, we list:

  • - Your name (or chosen handle)
  • - A link to your public profile (HackerOne / Bugcrowd / GitHub / LinkedIn)
  • - The month the report was resolved (no technical details until disclosure)

No researchers listed yet — be the first by submitting a high-quality report.

Recognition

We value the contributions of security researchers. With your permission, we will publicly acknowledge your contribution on our security page. We do not currently operate a paid bug bounty program, but we express our gratitude to every researcher who helps keep our students safe.

Trust & Compliance AI Ethics Policy Terms of Service

This policy is published in accordance with the CISA Secure by Design Pledge. Last updated: March 2026.