Data security is a top priority for Mio. We believe that working with skilled security researchers helps identify and remediate potential weaknesses in any technology. We appreciate and value those who report issues responsibly and in good faith.
If you believe you’ve found a security vulnerability in Mio’s service, please notify us — we will work with you to investigate and resolve the issue promptly.
Disclosure Policy
If you believe you’ve discovered a potential vulnerability:
- Notify us by emailing soc@m.io. We will acknowledge your report within five business days.
- Provide a clear and detailed report with enough information to help us reproduce and verify the issue.
- Allow us a reasonable amount of time to resolve the issue before disclosing it publicly or to a third party. For critical issues, we aim to provide resolution within five business days of verification.
- Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Mio service.
- Please only interact with domains you own or for which you have explicit permission from the account holder. Testing against systems, accounts, or third-party properties outside Mio’s control is out of scope.
Exclusions
While researching, please refrain from the following:
- Distributed Denial of Service (DoS/DDoS) attacks
- Spamming
- Social engineering or phishing of Mio employees or contractors
- Physical attacks against Mio property, offices, or data centers
Out Of Scope
The following are considered out of scope for Mio’s Responsible Disclosure Policy:
- Issues related to systems, domains, or services not owned or operated by Mio
- Reports based solely on best practices, missing security headers, or other non-exploitable configurations
- Findings from automated scans that are not manually validated for impact
- Vulnerabilities in third-party software, platforms, or services that Mio uses but does not maintain or control
- Theoretical attacks without a proven, practical security impact
- Reports of outdated software versions without evidence of exploitation or material risk
Our Commitment
Mio undertakes continuous internal vulnerability monitoring, automated scanning, and periodic independent third-party penetration testing to protect our systems.
While Mio does not operate a public bug bounty program and does not guarantee compensation, disclosures that demonstrate real and material security risk may be eligible for a discretionary financial reward, at the sole discretion of Mio’s CEO.
Changes
We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://m.io/disclosure.
Contact
Mio welcomes feedback, questions, and security reports. Please contact us at soc@m.io.
