Responsible Disclosure

1. Overview

MentorNeko takes security seriously. If you have discovered a security vulnerability in our platform, we appreciate your help in disclosing it to us responsibly. We are committed to working with security researchers to verify and address potential vulnerabilities.

2. Scope

The following are in scope for responsible disclosure:

• The MentorNeko platform (*.mentorneko.com)
• Our API endpoints
• Authentication and session management
• Tenant isolation and data access controls

The following are out of scope:

• Third-party services and infrastructure providers
• Social engineering attacks against MentorNeko employees
• Denial of service attacks
• Physical security
• Automated vulnerability scanning that generates excessive traffic

3. How to Report

Send vulnerability reports to security@mentorneko.com. Please include:

• Description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any proof-of-concept code or screenshots
• Your contact information for follow-up

Please encrypt sensitive reports using our PGP key (available upon request).

4. Our Commitments

• We will acknowledge receipt of your report within 3 business days.
• We will provide an initial assessment within 10 business days.
• We will keep you informed of our progress toward remediation.
• We will not pursue legal action against researchers who follow this policy.
• We will credit researchers in our security acknowledgments (with your permission).

5. Researcher Guidelines

• Do not access, modify, or delete data belonging to other users or organizations.
• Do not disclose the vulnerability publicly until we have had a reasonable opportunity to address it (minimum 90 days).
• Do not use automated tools that generate significant traffic or could degrade service for other users.
• Act in good faith to avoid privacy violations and disruption to production systems.

6. Contact