Security researchers MUST:
1. cease testing and notify us immediately upon discovery of a vulnerability.
2. cease testing and notify us immediately upon discovery of exposure of nonpublic data.
Security researchers MUST NOT:
1. engage in physical testing of facilities or resources.
2. send unsolicited electronic mail, including “phishing” messages.
3. execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks.
4. knowingly introduce malicious software.
5. test in a manner that could degrade the operation of Mandala’s systems; or intentionally impair, disrupt, or disable Mandala’s systems.
6. delete, alter, share, retain, or destroy Mandala’s data, or render Mandala’s data inaccessible.
7. use an exploit to exfiltrate data, establish command-line access, and establish a persistent presence on Mandala’s systems.
8. test any third-party websites or systems that integrate with Mandala.
Researchers are permitted to submit reports anonymously, although any preferred contact method is welcomed to clarify any reported vulnerability information or another technical interchange.
If you identify a verified vulnerability in compliance with our Disclosure Policy, we commit to:
1. provide acknowledgement of receipt of your vulnerability report (within 48 business hours of submission)
2. work closely with you to understand the nature of the issue and work on timelines for fix/disclosure together
3. notify you when the vulnerability is resolved so that it can be re-tested and confirmed as remediated
4. publicly acknowledge your responsible disclosure (if you wish)
When reporting a vulnerability or a security breach, a detailed technical description of the steps to reproduce it, including tools, images, and any other documentation that may be attached to reports is required.
The Information that should be provided (if known) at this point includes:
1. when the breach occurred or vulnerability has been exploited (time and date).
2. description of the breach/vulnerability (the type of personal information involved).
3. cause of the breach (if known) otherwise how it was discovered.
Mandala will determine the severity based on the following criteria:
1. the type and extent of personal information involved
2. whether multiple individuals have been affected
3. whether the information is protected by any security measures (password protection or encryption).
4. the person or kinds of people who now have access
5. whether there is (or could there be) a real risk of serious harm to the affected individuals
6. whether there could be media or stakeholder attention as a result of the breach or suspect breach
Please contact us via [email protected]
Mandala Analytics reviews the Vulnerability Disclosure policy from a legal and operational perspective yearly.