Mindbody Responsible Disclosure Policy

Last Updated:

At Mindbody, safeguarding our customers' data and privacy is paramount, and we recognize the value of partnering with the security community in achieving this goal.  We acknowledge that no technology is flawless, and collaborating with skilled security researchers is essential for identifying potential weaknesses in our systems. If you believe you've uncovered a vulnerability in our service, we're eager to collaborate with you to promptly address and rectify the issue, then you receive due recognition for your discovery. 

You must adhere to the guidelines outlined in this policy. We ask that you thoroughly review this policy before you report a vulnerability.

Contents

   Program Rules
   Legal considerations
   Guidelines for Testing
   Proof of Concepts
   Out of Scope
   Bounty Payouts
   Reporting a Security Vulnerability
   FAQ

Program Rules

Please notify us immediately when you discover a potential vulnerability, and we will try to resolve it swiftly.  You must not make any public discloses or share details of the vulnerability with third parties before we have confirmed that they exist and have allowed us adequate time to address the vulnerability.

When testing for vulnerabilities, please limit your assessments to accounts that you either own or have explicit permission from the account holder to test against. Under no circumstances should you exploit a finding to access or extract large amounts of data or use it to infiltrate other systems. Generate a simple proof of concept to illustrate the identified issue, then contact us at [email protected]

If sensitive information, such as personally identifiable data, credentials, confidential information or financial data (including payment card data), is inadvertently accessed during vulnerability assessment, it must not be stored, transferred, or further accessed after its initial discovery.  All sensitive information must be promptly returned to Mindbody, and any copies of such data must be permanently deleted and not retained.

Any type of denial of service (DoS or DDoS) attack, or other action that may negatively affect Mindbody, its customers or end users of Mindbody services, is strictly prohibited, as is as any interference with the usual operation of network equipment and Mindbody infrastructure.

If you find the same vulnerability several times, please create only one report that notes all affected areas in your comments. You will be rewarded according to your findings.

You should not violate any laws or regulations or breach any agreements in order to discover vulnerabilities.

Willful violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.

Legal considerations

Activities carried out in accordance with this policy are considered "authorized conduct”. We will not pursue legal recourse against individuals for authorized conduct who act in good faith.  Participation in this program is voluntary and we may terminate the program at any time by issuing a notice to this website. Eligibility for bounty payments may be revoked at any time for users who, in our sole discretion, violate this policy.

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or that might cause Mindbody to be in breach of any of its legal obligations.

Guidelines for Testing

  1. First, do no harm. 
    - Test in a way that will not disrupt other users or interfere with their data rights.
  2. Please provide your IP address in your report. 
    - We will keep this data private and only use it to review logs related to your testing activity and submissions.
  3. Whenever possible, include a custom HTTP header in all your traffic. 
    - Burp and other proxies allow the easy automatic addition of headers to all outbound requests. 
    - Report to us what header you set so we can identify it easily. For instance:
         A header that includes your username:
                   X-Bug-Bounty:Hacker-[accountid]
         A header that includes a unique or identifiable flag:
                   X-Bug-Bounty:ID-[sha256-flag]
  4. Use test accounts or profiles that you control.
  5. Do not use unthrottled automated scanners/tools
  6. If you think you have found indications of a vulnerability that may do damage, please: stop, report what you’ve found, and request additional testing permission.

Proof of concepts:

XSS: For XSS, a simple alert or any execution of injected code should suffice. “Self-XSS” requiring a user to craft or copy code into their browser is firmly out of scope.

RCE: Please only execute harmless code. Do not attempt to explore file structure or exfiltrate information.  Run basic identification commands (whoami, ipconfig, etc) then disconnect.  Provide us with the file names and locations of any shellcode or other files you have uploaded.

SQLi: We will accept proof of concepts that either 1) display the SQL version or 2) provide evidence of a controlled differential response or blind timing injection.

Unvalidated redirect: Set the redirect endpoint to http://example.com if possible.

CSRF: Attach a file that demonstrates the issue or provide a simple code block in HTML or JavaScript that demonstrates execution.

SSRF: Report immediately as soon as you believe that you have a potential SSRF issue, providing evidence from Burp Collaborator or some other server/DNS source. Please do not conduct further investigation or make probing calls against internal networks.

Out of Scope

The following vulnerabilities are not in scope for testing or submission:

  1. Any hypothetical flaw or best practice recommendation without an exploitable POC.
  2. Login, logout CSRF’s or any low value CSRF.
  3. Missing http response headers.
  4. Absence of SPF/DKIM/DMARC or other mail records.
  5. Brute force / password reuse / user enumeration attacks.
  6. Disclosure of known public files or directories, (e.g. robots.txt).
  7. Self XSS, Tab-nabbing, and Clickjacking.
  8. Any flags missing from cookies that are not associated with sessions or authentication.
  9. SSL/TLS best practices, Missing Certificate Authority Authorization Rules and Reports of insecure SSL/TLS ciphers (unless accompanied by a working proof of concept).
  10. Denial of service attacks
  11. Physical or Social engineering attempts, Issues that require physical access to a victim’s computer/device.
  12. Recently disclosed 0-day vulnerabilities. We will accept submissions relating to unpatched security issues in composite systems 15 days from the patch release date.
  13. Presence of autocomplete attribute on web forms.
  14. Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
  15. Reports about third-party applications or integrations available to our customers but that aren’t part of our systems directly (phpMyAdmin, Webmail, etc.), if the vulnerability doesn’t directly expose customer data and/or metadata.
  16. Reports about known vulnerabilities in sub-component parts (e.g. OpenSSH) or third-party libraries that are disclosed without a working POC.
  17. Non-sensitive exposed API keys

Out of Scope Vulnerabilities for mobile applications (Android/IOS)

  1. Missing certificate pinning
  2. Missing root/jailbreak detection
  3. Snapshot/Pasteboard/Clipboard data leakage
  4. Lack of obfuscation or binary protection
  5. Vulnerabilities in third-party libraries (without a relevant PoC).
  6. Application crashes unless instigated from an external source
  7. Weak Encryption/Encoding Mechanism without an exploitation vector

Bounty Payouts:

We appreciate users who take the time to responsibly disclose vulnerabilities to us.  Our bounty payouts are designed to compensate for the time spent in drafting these submissions.  Responsible disclosure rewards will be paid in the form of popular gift cards for submissions which comply with all of the requirements of this policy. We follow the OWASP risk rating methodology for deciding severity for web and mobile applications and CVSS3 for other reports. The value of the bounty award will depend upon the severity and quality of the bug as below:

  • 0 $: Low or Trivial security issues
  • 50-100 $: Medium security issues 
  • 100-150 $: High-security issues
  • 150-250 $: Critical security issues

The ultimate determination of severity of any bug will be in our reasonable discretion

Bounties awards are issued from a third-party service after we have internally verified, rated,  and resolved any related open questions with the reporter.  Please allow several business days after receiving notice that a bounty payment will be issued. 

Residents of the United States who receive over $600 in payouts during a calendar year are required to provide additional identity and tax information.

Reporting a security vulnerability

You can report security bug or vulnerability to us using the following email: [email protected].  Please state concisely in your email what vulnerabilities you have found. You can expect an email verifying receipt within 2-5 business days.  We will make further contact after that with relevant questions and to provide information on collecting any issued bounties.

Submissions must contain the following elements to qualify:

  • Bug Title: %Title
  • Bug type: %bugtype   
  • Domain: %domain   
  • Self-Rated Severity: %severity   
  • URL: %url 
  • IP Address used for testing the bug: %IP address 
  • Custom header used: %Custom Header
  • PoC: %poc

Frequently asked questions

Will I receive a reward for my investigation?

Yes, we will issue bounties for qualified submissions.  We will not issue bounties for 'low' impact or duplicative reports. Other bounty amounts depend on:

  • The caution taken in your investigation.
  • The quality of your report.
  • Severity of Issue.

Am I allowed to publicly disclose the weaknesses I find and my investigation?

Please do not publicize weaknesses in our applications or systems without first consulting or informing Mindbody. Following industry standard practices, we request you allow 120 days after submission, or 30 days after verified remediation.  In some cases, we may request an extension to public disclosure.

What shouldn’t I use [email protected] address for?

This email address is not intended for the following:

  • To submit complaints about Mindbody products or services
  • To submit questions or complaints about the availability of the website
  • To report fraud or suspicion of fraud
  • To report phishing emails

Resources to help with these issues are available at the following URLs:

When should I expect a response to my submission?

Our dedicated team of security engineers will promptly investigate your report. Expect to hear from us within 2 to 5 US business days to acknowledge your submission, with following contact to discussing your discovery process or any necessary follow-up steps. We value your feedback and kindly ask that you send a gentle reminder if you haven't received an expected response within 5 days.