Primind

Vulnerability Disclosure Policy

Primind welcomes good-faith vulnerability reports and asks researchers to report suspected issues safely, privately, and with minimal disruption.

Purpose

This policy explains how to report suspected vulnerabilities in Primind-owned public systems. It is intended for good-faith research that avoids privacy violations, data exposure, and service disruption.

How to report

Email security reports to support@primind.ai.

Please include:

  • Affected URL, endpoint, page, or feature.
  • Vulnerability type and a short summary.
  • Reproduction steps with expected and observed behavior.
  • Potential impact.
  • Screenshots, logs, or proof-of-concept details if they are safe to share.
  • Whether any customer, user, or private data may have been exposed.

Include only information that is safe to share. Do not send customer data, private user data, secrets, credentials, or destructive proof-of-concept material.

Scope

In-scope research is limited to Primind-owned public web properties and production application endpoints that are appropriate for testing.

This policy does not authorize activity against third-party systems, customer environments, connected source providers, identity providers, or data you do not own.

Out of scope

  • Denial-of-service, load testing, or stress testing.
  • Social engineering, phishing, or attacks against people.
  • Physical attacks against offices, devices, employees, customers, or vendors.
  • Attacks against third-party services, source providers, identity providers, customer tenants, or integrations you are not authorized to test.
  • Accessing, modifying, deleting, or exfiltrating data that is not yours.
  • Persistence, malware, credential theft, or destructive testing.
  • Spam, automated high-volume scanning, or noisy testing.
  • Testing customer environments or third-party integrations without explicit authorization.

Research rules

  • Use only accounts and data that you own or are authorized to test.
  • Stop immediately if you encounter private, customer, user, or sensitive data.
  • Report the issue promptly and include enough detail for Primind to investigate.
  • Do not publicly disclose the issue until Primind has had time to investigate and remediate it.
  • Avoid privacy violations, data exposure, service disruption, and destructive actions.

Safe harbor

When security research is conducted in good faith and follows this policy, Primind will treat the activity as authorized and will not pursue legal action based on that research.

This does not authorize activity against third-party systems, customer environments, or data you do not own.

This policy is not legal advice and does not override applicable law or third-party terms.

Response expectations

Primind aims to acknowledge valid reports within a reasonable timeframe and may follow up for additional details.

No bounty

Primind does not currently offer a paid bug bounty program.

Confidentiality

Please do not publicly disclose vulnerabilities until Primind has had time to investigate and remediate the issue.

Primind Vulnerability Disclosure Policy - Primind