Security Disclosure Policy

ENUA

Security Disclosure Policy

Effective Date: May 15, 2026
Version: 1.0
Platform Owner: FOP Haitan Kyrylo Oleksandrovych (hereinafter referred to as "Mirkaso", "we", "the Platform")
Website: https://mirkaso.com

1. Our Commitment to Security

1.1. Mirkaso takes the security of our users, their data, and our Platform infrastructure very seriously. We recognize that security researchers play a vital role in ensuring software security.

1.2. We encourage responsible disclosure of vulnerabilities and welcome good-faith efforts to discover and report potential security issues on our Platform.

1.3. This Policy defines the rules of engagement between Mirkaso and security researchers, as well as the procedures for submitting, processing, and remediating vulnerability reports.

2. Responsible Disclosure

2.1. We accept vulnerability reports in accordance with the principles of responsible disclosure. This means that we expect researchers to:

  • Act in good faith: conduct testing for the purpose of discovering and reporting vulnerabilities, not to cause harm;
  • Maintain confidentiality: not disclose vulnerability information publicly until it has been resolved;
  • Take a respectful approach: avoid harm to user data, confidential information, and Platform availability;
  • Collaborate: provide sufficient information to reproduce and remediate the vulnerability.

2.2. A researcher who adheres to this Policy and the principles of responsible disclosure receives our commitment of no legal action (see Section 8).

2.3. How to report a vulnerability:

  • Send an email to: security@mirkaso.com
  • Subject line: [Security Report] Brief description of vulnerability
  • Use encryption (PGP/GPG) if possible (key available upon request)
  • Provide as detailed a description of the vulnerability as possible

2.4. If you do not receive a response within 48 hours, please send a follow-up message.

3. Scope

3.1. This Policy applies to the following systems and domains:

| System | Scope | |---|---| | Main website | https://mirkaso.com and all its pages | | API | api.mirkaso.com and all endpoints | | Subdomains | *.mirkaso.com (all subdomains belonging to Mirkaso) | | Mobile applications | Official Mirkaso applications (if available) | | Software components | Platform components open for interaction |

3.2. Out of scope (we do not accept reports for):

  • Third-party infrastructure not owned by Mirkaso;
  • Social engineering (phishing attacks against employees);
  • Physical attacks on offices or equipment;
  • Vulnerabilities in software that Mirkaso uses but does not develop (except where Mirkaso's configuration creates a vulnerability).

4. Rules of Testing

4.1. When conducting security testing, a researcher must comply with the following rules:

4.1.1. Do not violate other users' data

  • Do not access, copy, or modify data of other Platform users;
  • Do not create, delete, or modify accounts of other users;
  • Do not conduct testing that could affect Platform availability for other users.

4.1.2. Do not use DDoS attacks

  • Do not create excessive load on Platform infrastructure;
  • Do not conduct denial of service attacks;
  • Do not use automated scanning tools with high request intensity.

4.1.3. Do not use social engineering

  • Do not use phishing, vishing, or other social engineering techniques against Mirkaso employees, contractors, or users;
  • Do not attempt to gain physical access to premises or equipment belonging to Mirkaso;
  • Do not attempt to gain access to third-party systems trusted by Mirkaso.

4.1.4. General restrictions

  • Do not install malicious software (malware, backdoors, rootkits);
  • Do not modify or delete data or files;
  • Do not attempt to access monitoring, logging, or backup systems;
  • Comply with applicable laws during testing.

5. What We Ask For

5.1. When submitting a vulnerability report, please provide the following information:

5.1.1. Detailed vulnerability description

  • Vulnerability type (e.g., XSS, SQL Injection, IDOR, CSRF, etc.);
  • Location (URL, endpoint, component);
  • Description of the vulnerability mechanism;
  • CVSS score (if possible).

5.1.2. Steps to reproduce

  • Clear, step-by-step instructions on how to reproduce the vulnerability;
  • Minimum conditions required for reproduction;
  • Examples of requests/responses, scripts, or commands (if applicable);
  • Versions of software, browsers, or tools used.

5.1.3. Impact Assessment

  • Description of potential consequences of exploiting the vulnerability;
  • Assessment of risk level to users and the Platform;
  • Potential attack scenarios;
  • Remediation recommendations (if available).

5.1.4. Additional information

  • Is this vulnerability already publicly known?
  • Have you reported it to other organizations?
  • Your contact information for further communication;
  • Whether you wish to remain anonymous in public disclosure.

6. Response Times

6.1. We commit to the following timelines when processing vulnerability reports:

| Stage | Timeline | Description | |---|---|---| | Acknowledgment | 48 hours | Automatic or manual acknowledgment of receipt of your report | | Initial assessment | 7 days | Initial assessment of vulnerability severity and action plan | | Updates | Every 7 days | Regular updates on the status of your report | | Remediation | Depends on severity | Remediation timeline depends on complexity and priority |

6.2. Vulnerability severity classification:

| Level | Remediation Timeline | |---|---| | Critical | Up to 7 days | | High | Up to 30 days | | Medium | Up to 60 days | | Low | Up to 90 days |

6.3. After the vulnerability has been remediated, we will notify the researcher and agree on public disclosure timelines (if the researcher does not wish to remain anonymous).

6.4. We reserve the right to decline reports that:

  • do not relate to Mirkaso systems;
  • do not contain sufficient information for reproduction;
  • describe theoretical vulnerabilities without practical proof of concept;
  • relate to software versions that are no longer supported.

7. Rewards & Hall of Fame

7.1. Bug Bounty. At this time, Mirkaso does not operate a monetary bug bounty program. We are considering implementing such a program in the future.

7.2. Hall of Fame. We express our gratitude to security researchers who responsibly report vulnerabilities. With the researcher's permission, their name (or alias) may be listed on our Hall of Fame page.

7.3. Swag. Mirkaso may provide a limited amount of branded merchandise (swag) to researchers who have discovered significant vulnerabilities, at our discretion.

7.4. Public Disclosure Consent. We strive for transparency. After a vulnerability has been remediated, we may publish a summary report. We will always agree on timelines and format with the researcher. The researcher has the right to request anonymity.

8. Legal Matters

8.1. We will not pursue legal action against researchers for good-faith testing. Mirkaso commits to not initiate legal proceedings or file claims against security researchers who:

  • comply with this Policy;
  • conduct research responsibly and in good faith;
  • do not cause harm to the Platform, its users, or third parties;
  • do not use discovered vulnerabilities for unauthorized gain;
  • do not disclose vulnerability information before it has been remediated without our consent.

8.2. We recognize that researchers acting within the scope of this Policy do not violate laws regarding unauthorized access to computer systems.

8.3. We reserve the right to suspend these protections if it is determined that a researcher:

  • used the vulnerability for financial gain;
  • caused harm to user data or Platform infrastructure;
  • sold or transferred vulnerability information to third parties;
  • did not comply with the terms of this Policy.

8.4. This Policy is not a legally binding contract, but expresses our good faith and commitment to collaboration with the research community.

9. Contact Information

For vulnerability reports:

  • Email: security@mirkaso.com
  • Subject line: [Security Report] Brief description
  • PGP/GPG key: available upon request at security@mirkaso.com

For general security inquiries:

  • Email: support@mirkaso.com
  • Website: https://mirkaso.com
  • Owner: FOP Haitan Kyrylo Oleksandrovych, ITN 3097700915, Ukraine, 65037, Odeska obl., Odeskyi r-n, s. Lymanka, vul. Malynova, bud. 20A

This Policy is prepared in accordance with responsible disclosure best practices and international information security standards.