• Platform
    Mend-io-logo-mark
    AI Native AppSec Platform Take a tour
    Mend. Io responsible disclosure policy - ai
    Mend AI Secure AI powered applications
    Mend sast icon
    Mend SAST Secure proprietary code 10x faster
    Mend container small icon
    Mend Container Container security done right
    Mend. Io responsible disclosure policy - sca
    Mend SCA Decrease open source risk
    Mend. Io responsible disclosure policy - renovate
    Mend Renovate Automate dependency updates
    Expand AppSec coverage
    Mend. Io responsible disclosure policy - dast icon 1 DAST Mend. Io responsible disclosure policy - apis icon 1 API security Mend. Io responsible disclosure policy - eol icon EOL support
    Platform Benefits
    Mend. Io responsible disclosure policy - repoi icon Repo integration Scalability-icon Scalability Mend. Io responsible disclosure policy - reachability icon Reachability
  • Solutions
    Ai models risk - nav bar icon
    AI app security Manage risks in AI models and agents
    Ai-red-teaming-icon-
    AI red teaming Test and secure conversational AI
    Mend. Io responsible disclosure policy - ai gen code security nav bar icon 36x36 1
    AI gen code security Real-time AI code security
    Sbom - nav bar icon
    SBOM Move from static to effective SBOMs
    Runtime-security-nav-bar-icon
    Dynamic testing Test for risks in running applications
    Code scanning - nav bar icon
    Code scanning Find and fix known vulnerabilities
    Open source license nav bar icon
    Open source security Prevent. Prioritize. Automate.
    Open source license - nav bar icon
    Open source compliance Risk management for OSS licenses
    Dependency updates - nav bar icon
    Dependency updates Reduced risk, better code
    Container security container security
    Container security Container security, simplified
  • Company
    About us - nav bar icon
    About us Who we are
    Careers nav bar icon
    Careers Join our team
    Partners - nav bar icon
    Partners Meet our partners
    Events - nav bar icon
    Events Upcoming events
    Newsroom - nav bar icon
    Newsroom The latest Mend.io news
    Contact-us nav bar icon
    Contact us Connect with us
  • Resources
    Resource center - nav bar icon
    Resource center View our latest resources
    Blog - nav bar icon
    Blog The latest AppSec news and insights
    Podcast-icon
    Podcast Insights from leading experts
    Customers - nav bar icon
    Customers View our customer case studies
    Integrations - nav bar icon
    Integrations Find your integration
    Langugages nav bar icon
    Languages Find your language
    Vulnerability database - nav bar icon
    Vulnerability database Mend.io's OSS vulnerability database
    Documentation - nav bar icon
    Documentation Product and feature documentation
    Featured
    Mend. Io responsible disclosure policy - featured image
    A CISO’s Guide to Securing AI from the Start
    Mend. Io responsible disclosure policy - practical guide to sast white paper image
    A Practical Guide to Making the Most of your SAST Investment
Schedule a Demo

Mend.io Responsible Disclosure Policy

At Mend.io, the security and privacy of our users and systems are core priorities. We welcome contributions from the security community and encourage responsible reporting of vulnerabilities. If you’ve discovered a potential security issue in one of our systems, products, or websites, we want to hear from you. We appreciate your help!

How to report a vulnerability:

If you identify a security vulnerability, please report it per the instructions below and include as much detail as possible to help us reproduce and understand the issue, such as:

  • A description of the vulnerability
  • Steps to reproduce
  • The affected system, service, or URL
  • Any supporting materials (screenshots, code snippets, proof-of-concept)
  • Your identifying information

You may choose to report anonymously, but please note that we may not be able to provide follow-up communication if you do not identify yourself.

For any questions, you may also contact us via email at security@mend.io.

Please Do:

  • Act in good faith and avoid privacy violations, data destruction, or service disruption
  • Only access, modify, or interact with your own accounts or data (unless explicitly authorized by us in writing)
  • Use the minimum amount of data necessary to demonstrate the vulnerability
  • Provide us with a reasonable opportunity to investigate and resolve the issue and do not disclose it to others before the vulnerability is fixed
  • Comply with applicable laws while conducting your testing

Do Not:

  • Exploit the vulnerability beyond what’s necessary to prove its existence
  • Download, modify, or delete data that doesn’t belong to you
  • Disclose the issue to third parties or the public until we’ve resolved it
  • Use physical security attacks, social engineering, phishing, denial of service (DoS), or resource exhaustion tactics
  • Test third-party applications or services that integrate with Mend.io
  • Introduce or test malware, spam, or malicious payloads
  • Engage in any testing that would harm or degrade Mend.io’s systems or services

Out of scope vulnerabilities:

The following types of issues are outside the scope of this policy:

  • Physical attacks or access
  • Social engineering or phishing
  • DoS or resource exhaustion
  • Clickjacking on pages without sensitive actions
  • CSRF on non-sensitive or unauthenticated forms
  • Attacks requiring MITM or physical access to user devices
  • Vulnerabilities without a working proof-of-concept
  • CSV injection without demonstrated impact
  • Missing best practices (e.g., CSP, SSL/TLS configuration, cookie flags)
  • Outdated browser vulnerabilities (older than two stable versions)
  • Email security misconfigurations (SPF/DKIM/DMARC)
  • Tabnabbing, content spoofing, or cosmetic issues without a viable attack vector
  • Software version disclosures, banner identification, or verbose error messages
  • Brute force or rate-limiting issues on non-authentication endpoints

What happens next:

Once we receive your report, we will:

  • Acknowledge receipt (if contact details are provided)
  • Investigate the reported issue
  • Assess severity and complexity to determine remediation time
  • Keep you updated on progress (if applicable)

Please note: resolution timelines vary depending on the nature of the issue.

Response targets for this program:

Time to first response: 1 day

Time to triage: 2 days

Time to resolution: 45 days

Legal Safe Harbor:

If you comply with this policy, we will not pursue legal action against you for security research activities. However, noncompliance or actions that violate applicable law or our Terms of Service may result in legal consequences. In addition, we make no representation or warranty on behalf of any third-party. Third-party individuals and entities may independently assess whether your actions may have caused harm to such third parties or violated their terms of use and, therefore, may independently seek legal action or remedies.

Thank you for helping us keep our systems, products and websites safe!

© 2025 Mend.io (White Source Ltd.) All rights reserved.