Vulnerability Disclosure Policy

Likemymind America Inc (d/b/a Findmino) — Effective March 2026

We take the security of our platform and the protection of student data seriously. We welcome and appreciate responsible disclosure of security vulnerabilities from security researchers and the public. This policy describes how to report vulnerabilities, what to expect from us, and our commitment to not pursue legal action against good-faith reporters.

Scope

This policy applies to all Findmino products and services, including:

  • The Findmino web application (findmino.com)
  • Findmino API endpoints (api.findmino.com)
  • Associated subdomains and infrastructure

How to Report a Vulnerability

Please report vulnerabilities by email to:

info@findmino.com

Please include the following in your report:

  • - A description of the vulnerability and its potential impact
  • - Step-by-step instructions to reproduce the issue
  • - The affected URL, endpoint, or component
  • - Any relevant screenshots or proof-of-concept code
  • - Your contact information for follow-up

What to Expect

Acknowledgment within 3 business days

We will confirm receipt of your report and provide a tracking reference.

Initial assessment within 10 business days

We will evaluate the report, confirm the vulnerability, and communicate the severity and expected timeline for a fix.

Remediation and disclosure

We aim to resolve critical vulnerabilities within 30 days. We will coordinate with you on public disclosure timing in line with responsible disclosure best practices.

Safe Harbor

We will not pursue legal action against anyone who:

  • Makes a good-faith effort to comply with this policy
  • Reports vulnerabilities directly to us before public disclosure
  • Avoids actions that could harm our users, disrupt our services, or destroy data
  • Does not access, modify, or delete student data or personally identifiable information

Activities conducted in accordance with this policy will be considered authorized. We will not initiate legal action against researchers who discover and report vulnerabilities in good faith.

Guidelines for Researchers

Please do

  • - Test only against your own accounts
  • - Stop testing if you access another user's data
  • - Report findings promptly
  • - Provide sufficient detail to reproduce the issue
  • - Allow reasonable time for remediation before disclosure

Please do not

  • - Access or modify student data
  • - Perform denial of service attacks
  • - Send unsolicited messages to users
  • - Use social engineering against our staff
  • - Test against production school accounts

Qualifying Vulnerabilities

We are particularly interested in:

  • - Authentication or authorization bypasses
  • - Cross-site scripting (XSS) or injection vulnerabilities
  • - Insecure direct object references (IDOR)
  • - Server-side request forgery (SSRF)
  • - Sensitive data exposure
  • - Privilege escalation
  • - API security issues

Out of scope: rate limiting issues, missing security headers on non-sensitive pages, UI bugs, outdated library versions without a demonstrated exploit, and reports from automated scanning tools without manual verification.

Recognition

We value the contributions of security researchers. With your permission, we will publicly acknowledge your contribution on our security page. We do not currently operate a paid bug bounty program, but we express our gratitude to every researcher who helps keep our students safe.

Trust & Compliance AI Ethics Policy Terms of Service

This policy is published in accordance with the CISA Secure by Design Pledge. Last updated: March 2026.