Responsible Disclosure Policy

We take security seriously and value the contributions of security researchers who help keep Midas Edge and our users safe.

How to Report

If you believe you have found a security vulnerability in Midas Edge, please report it to us at security@midas-edge.com.

Please include as much detail as possible: steps to reproduce, affected components, potential impact, and any proof-of-concept code.

Response Expectations

These are operational targets, not guaranteed SLAs. Report quality, third-party provider involvement, researcher coordination, and validation work can change timing.

Receipt: We aim to acknowledge complete reports within 2 business days after security mailbox triage; this is not an automated acknowledgement guarantee
Initial review: We aim to provide a first human assessment within 5 business days for reports with enough detail to reproduce or evaluate the issue
Critical issues: Confirmed high-impact vulnerabilities are prioritized for mitigation planning within 1 business day of validation, based on exploitability, user risk, and available mitigations
Updates and resolution: We aim to share status updates at least every 10 business days until closure or coordinated disclosure; remediation timing depends on severity, provider dependencies, validation, and disclosure needs

In Scope

midas-edge.com and all subdomains
Midas Edge API endpoints
Authentication and authorization systems
Data handling and storage security
Third-party integrations (Plaid, Stripe) as they relate to our implementation

Out of Scope

Social engineering attacks against employees or users
Physical attacks against infrastructure
Denial of service (DoS/DDoS) attacks
Vulnerabilities in third-party services not under our control
Spam or social media account issues

Testing Guidelines

Do not access, modify, or delete data belonging to other users
Do not degrade service performance or availability
Use your own test accounts; do not target real user data
Stop testing and report immediately if you access sensitive data

Safe Harbor

When conducting security research in accordance with this policy, we consider your research to be:

Authorized and we will not pursue legal action
Exempt from DMCA anti-circumvention provisions
Exempt from CFAA restrictions that would otherwise prohibit it

This safe harbor applies only to legal claims under our control. It does not bind independent third parties.

Recognition

We publicly acknowledge security researchers who help improve our security (with your permission) in our Security Hall of Fame.

While we do not currently offer monetary bounties, we are grateful for your contributions and may offer rewards on a case-by-case basis for critical vulnerabilities.