Responsible Disclosure Policy

At Mirai, we take the security of our systems and services seriously. We recognize the important role that security researchers and the broader community play in keeping the internet safe. This Responsible Disclosure Policy outlines how we work with security researchers to address security vulnerabilities.

We encourage responsible disclosure of security vulnerabilities and appreciate the efforts of security researchers who help us maintain the security and privacy of our users. This policy is designed to provide clear guidelines for reporting security issues and to ensure a coordinated and timely response.

By following this policy, security researchers can help us protect our users and systems while avoiding legal issues and ensuring that vulnerabilities are addressed appropriately.

This policy applies to security vulnerabilities discovered in Mirai's systems, services, and applications, including:

• Our public-facing websites and web applications
• Our APIs and backend services
• Our mobile applications
• Our autonomous systems and related software
• Any other systems or services operated by Mirai

We are particularly interested in vulnerabilities that could impact the security or privacy of our users, including but not limited to:

• Authentication and authorization flaws
• Data exposure or leakage
• Cross-site scripting (XSS)
• SQL injection
• Remote code execution
• Server-side request forgery (SSRF)
• Critical security misconfigurations

If you discover a security vulnerability, please report it to us as soon as possible. We ask that you:

• Email your findings to hello@miraitech.ai with a clear description of the vulnerability
• Provide sufficient information to reproduce the issue, including steps to reproduce, affected systems, and potential impact
• Allow us a reasonable amount of time to address the vulnerability before disclosing it publicly
• Act in good faith and avoid accessing or modifying data that does not belong to you
• Do not exploit the vulnerability beyond what is necessary to demonstrate it
• Do not violate any laws or breach any agreements in the course of your research

We will acknowledge receipt of your report within 48 hours and provide an initial assessment within 7 business days. We will keep you informed of our progress in addressing the vulnerability.

To help us understand and address the vulnerability quickly, please include the following information in your report:

• Description: A clear description of the vulnerability and its potential impact
• Steps to Reproduce: Detailed steps to reproduce the vulnerability, including any required tools or configurations
• Proof of Concept: If possible, include a proof of concept or screenshots demonstrating the vulnerability
• Affected Systems: Information about which systems, services, or applications are affected
• Potential Impact: An assessment of the potential impact if the vulnerability were to be exploited
• Suggested Fix: If you have ideas for how to fix the vulnerability, we welcome your suggestions

The more detailed and actionable your report, the faster we can address the issue. We appreciate thorough reports that help us understand the full scope and impact of the vulnerability.

When you report a vulnerability in accordance with this policy, we commit to:

• Responding to your report promptly and keeping you informed of our progress
• Working diligently to address the vulnerability in a timely manner
• Providing appropriate recognition for your responsible disclosure, if desired
• Not taking legal action against you for your research, provided you comply with this policy
• Treating your report with confidentiality until we have addressed the issue

We aim to resolve critical vulnerabilities within 90 days of receiving a valid report. For less critical issues, we will address them as part of our regular security maintenance cycle.

While we cannot guarantee monetary rewards, we may offer recognition or compensation for particularly significant vulnerabilities reported in accordance with this policy, at our sole discretion.

We will not pursue legal action against security researchers who:

• Act in good faith and in accordance with this Responsible Disclosure Policy
• Do not access or modify data that does not belong to them
• Do not violate any laws or breach any agreements in the course of their research
• Do not exploit the vulnerability beyond what is necessary to demonstrate it
• Give us a reasonable amount of time to address the vulnerability before disclosing it publicly

This safe harbor applies only to security research activities conducted in accordance with this policy. Any activities that go beyond the scope of this policy, including accessing or modifying data without authorization, may be subject to legal action.

If you are unsure whether your research activities are covered by this policy, please contact us at hello@miraitech.ai before proceeding.

The following activities are out of scope for this policy:

• Social engineering or phishing attacks against our employees or users
• Physical attacks against our facilities or infrastructure
• Denial of service attacks or attempts to disrupt our services
• Attacks that require physical access to a user's device
• Issues that require unrealistic user interaction or unlikely user configurations
• Vulnerabilities in third-party services or applications that we do not control
• Issues that have already been reported to us or are publicly known
• Spam, denial of service, or resource exhaustion attacks

If you are unsure whether a particular vulnerability is in scope, please contact us at hello@miraitech.ai before reporting it.

We reserve the right to modify this policy at any time. We will notify security researchers of any material changes to this policy.

If you have any questions about this Responsible Disclosure Policy, please contact us at hello@miraitech.ai.