Security Overview
Central point of contact for security reports and bug bounty program
Detailed Security Documentation: Comprehensive technical details, incident response plans, and operational procedures are available after signing an NDA.
Overview
The security of our platform and the protection of your data are our highest priority. This page is your central point of contact for all security-related reports and inquiries.
Security Areas
ποΈ Infrastructure Security
Cloud-native Zero Trust architecture with enterprise-grade services:
- Managed Kubernetes: Service mesh with mTLS end-to-end encryption
- Monitoring & Alerting: Comprehensive monitoring with automated notifications
- Compliance: GDPR compliant, ISO 27001 in preparation, SOC 2 Type II planned for 2026
π» Software Security
Modern type-safe development architecture with security by design:
- Secure Development: TypeScript Strict Mode, Python with typing, OWASP Top 10
- Automated Security: AI-based code analysis, automatic dependency updates
- External Testing: Bug bounty program, external penetration test planned for August 2025
π DataVault Privacy
OnPremise solution for maximum data security:
- Local Data Storage: All data remains in your infrastructure
- Encrypted Transfer: Only relevant text sections via VPN
- GDPR Compliance: Complete control over your data
π¨ Report Security Vulnerability
Immediate Reporting
If you have discovered a security vulnerability:
π§ Email: security@meingpt.com
π Subject: URGENT - Critical Security Issue (for critical issues)
What You Should Include
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact and risk assessment
- Screenshots or code examples (if possible)
β±οΈ Our Response Times
We have implemented a structured incident response system:
- Critical vulnerabilities: Immediate response (0-15 minutes)
- High priority: Response within 30 minutes
- Medium priority: Response within 2 hours
Detailed Incident Response Procedures: Specific escalation paths, communication plans, and operational procedures are documented in our internal incident response plan and available after NDA signing.
π° Bug Bounty Program
We reward responsible security researchers for finding and reporting vulnerabilities in our systems.
Rewards
The amount of the reward is based on:
- Severity of the vulnerability (Critical, High, Medium, Low)
- Quality of the report (reproducibility, documentation, clarity)
- Potential impact on users and systems
- First-time reporting (only the first valid report is rewarded)
Scope
In Scope
- Web applications and APIs (app.meingpt.com)
- Authentication and authorization mechanisms
- Data leakage and privacy violations
- SQL injection, XSS, CSRF
- Remote code execution vulnerabilities
- Authentication bypass
- Privilege escalation
Out of Scope (No Bounty)
- Expired SSL/TLS certificates - While we appreciate notifications, these do not qualify for a bounty
- Missing security headers without demonstrated impact
- Self-XSS requiring user interaction
- Social engineering attacks
- DoS/DDoS attacks
- SPF/DMARC/DKIM issues without demonstrated exploitability
- Rate limiting issues without security impact
- Third-party vulnerabilities (report to the vendor directly)
- Issues in deprecated or end-of-life features
- Theoretical vulnerabilities without proof of concept
- Paywall/Feature Gating issues that do not lead to unauthorized data access
- HackerOne Core Ineligible Findings
Participation
For details about our Bug Bounty Program and current terms, please contact: bounty@meingpt.com
We will then discuss individually:
- The scope of allowed tests
- Testing methods
- Reporting procedures
- The verification process
Program Rules
- Do not access, modify, or delete user data. You can use our staging environment on staging.meingpt.com to ensure you don't accidentally access real user data
- Avoid service disruption - no DoS attacks or resource exhaustion
- One vulnerability per report - separate issues require separate reports
- Allow time for patching - coordinate disclosure timeline with our team
- Comply with all applicable laws - unauthorized access is prohibited
- Report in good faith - no extortion or threat demands
- Testing accounts only - use accounts you control
Disqualifications
The following actions will result in immediate disqualification and potential legal action:
- Public disclosure before resolution
- Attempted extortion or blackmail
- Testing on production systems without authorization
- Accessing customer data
- Social engineering of employees
- Physical security testing
Responsible Disclosure Policy
β Allowed
- Coordinated disclosure after successful resolution
- Recognition in our Security Hall of Fame
- Legal protection for responsible researchers
- Constructive collaboration with our security team
β Not Allowed
- Access to customer data without permission
- Denial of Service (DoS) attacks
- Social engineering of employees
- Physical attacks on our infrastructure
π Security Champions
Hall of Fame
We thank all security researchers who have contributed to improving our platform. With their consent, we will publish their names here.
- Kunal Mishra
- Aqudas Gulzar
- Fabrikat0r
Details about specific vulnerabilities are not shared publicly for security reasons.
π Contact
For Different Concerns
- Security Vulnerabilities/Bug bounty reports: security@meingpt.com
- General Questions: support@meingpt.com
PGP Encryption
For particularly sensitive reports, our public PGP key is available upon request.
Further Information:
- π Software Security - Development Security
- π Infrastructure Security - Technical Security Measures
- π DataVault Privacy - OnPremise Privacy