MadMantra

Responsible Disclosure

Last updated: May 2026. For our broader security posture, see /trust.

If you found something

Email hello@madmantra.com with:

  • A clear description of the issue and its impact
  • Steps to reproduce (or a proof-of-concept)
  • The URL, request, or account involved
  • Your name or handle (optional — for credit)

We'll acknowledge receipt within 2 business days and give you an initial assessment within 5 business days.

Our commitments to you

  • We will not pursue legal action against you for good-faith security research that follows this policy.
  • We will keep you informed of remediation progress.
  • We will credit you publicly (with your permission) when the fix ships.
  • We will not require an NDA to report a vulnerability.

In scope

  • The MadMantra platform: madmantra.com, api.madmantra.app, and dashboard surfaces
  • The MadMantra API and its authentication, authorization, and session handling
  • Cross-tenant data exposure within the platform database
  • Prompt-injection chains that allow privilege escalation or data exfiltration
  • Vulnerabilities in customer landing pages served at <slug>.madmantra.app that are caused by the platform's code (not the customer's AI-generated content)

Out of scope

  • Issues in customer-deployed apps that are caused by the customer's own AI-generated code (report those to the customer)
  • Findings from automated scanners without a working proof-of-concept
  • Missing security headers on third-party endpoints we don't control
  • Social-engineering attacks against MadMantra employees
  • Physical attacks against MadMantra infrastructure
  • Volumetric DDoS demonstrations (the network is behind Cloudflare; please don't)
  • Rate-limit findings (we welcome them but treat them as informational, not as vulnerabilities)

Please do not

  • Access, modify, or destroy data that is not your own
  • Run automated scanners against production at high volume
  • Disclose the vulnerability publicly before we've had a chance to fix it
  • Demand payment as a condition of disclosure

Bounty

We don't currently run a paid bounty program. We thank researchers in our changelog, and on serious issues we're happy to send a small gesture of appreciation. As we grow we plan to formalize a paid program.

PGP

We don't currently publish a PGP key. Email hello@madmantra.com over TLS. If you have a finding that genuinely requires encrypted transport, ask in your first message and we'll set up a secure channel.