Skip to main content
Files never leave your browser|GDPR|508 Accessible

Bug Bounty & Responsible Disclosure

We welcome security researchers to help us keep MiOffice safe. Report vulnerabilities responsibly and we'll work with you to resolve them.

Reporting a Vulnerability

If you've discovered a security vulnerability in MiOffice, please report it to us at [email protected].

Include in your report:

  • Description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions
  • Proof of concept (screenshots, video, or code)
  • Affected URL(s) and parameters
  • Your suggested severity assessment (Critical / High / Medium / Low)

Our Commitments

Response Time

We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days.

No Legal Action

We will not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.

Credit

With your permission, we'll credit you on our security acknowledgments page after the vulnerability is resolved.

Transparency

We'll keep you informed throughout the remediation process and notify you when the fix is deployed.

Scope

In Scope

  • Cross-Site Scripting (XSS) on mioffice.ai
  • Cross-Site Request Forgery (CSRF) on API endpoints
  • Server-Side Request Forgery (SSRF)
  • Authentication or authorization bypasses on admin APIs
  • Information disclosure of sensitive data
  • Subdomain takeover
  • Open redirect vulnerabilities

Out of Scope

  • Denial of service (DoS/DDoS) attacks
  • Social engineering or phishing
  • Physical attacks against our infrastructure
  • Vulnerabilities in third-party services we don't control
  • Reports from automated scanners without proof of exploitability
  • Missing security headers that are intentionally omitted (CSP — required for WASM)
  • Clickjacking on pages with no sensitive actions
  • Rate limiting on non-authentication endpoints
  • SPF/DKIM/DMARC configuration (informational only)

Rules of Engagement

  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial of service attacks
  • Do not use automated vulnerability scanners at high volume
  • Do not publicly disclose vulnerabilities before they are fixed
  • Test only against mioffice.ai — do not test against staging or internal systems
  • Stop testing and report immediately if you access user data unintentionally

Found something?

Report it to [email protected]. We appreciate your help keeping MiOffice safe.

Report a Vulnerability
Security ArchitecturePenetration TestingCertificationsCompliance Hub