Skip to content

TRUST & POLICIES

Bug Bounty

Last updated: April 15, 2026

We rely on the security community to keep Mumm safe. If you find a vulnerability, please tell us first — we will respond fast, fix it, and credit you.

On this page
  1. In scope
  2. Out of scope
  3. Rewards
  4. How to report
  5. Safe harbor

In scope

  • app.trymumm.com — the user-facing web app
  • api.trymumm.com — the public REST API surface (per docs 30, 36)
  • mcp.trymumm.com — the MCP server
  • trymumm.com — the marketing site
  • Any first-party Mumm package published to npm

Out of scope

  • Findings exclusively against third-party providers (Stripe, Supabase, Anthropic, Twilio, Resend, Retell, etc.) — please report those upstream
  • Best-practice issues without a demonstrable exploit (e.g. missing security headers on a marketing-only page, weak TLS cipher with no real-world impact)
  • Denial-of-service via sheer volume; please do not attempt large-scale fuzzing or load testing
  • Social engineering of Mumm staff or customers
  • Physical security of Mumm offices or vendor data centers
  • Reports generated solely by automated scanners with no manual validation

Rewards

Rewards are paid in USD via the same channel you prefer for invoices (typically PayPal or bank transfer). We reserve the right to scale rewards based on demonstrated impact, exploit reliability, and report quality.

Critical ($1,000–$5,000)
Account takeover without user interaction, payment manipulation, full PHI exfiltration, RCE on production infrastructure, broken multi-tenant isolation that exposes another user's data.
High ($250–$1,000)
Authentication bypass on a single account, partial PHI exposure, server-side request forgery touching internal services, persistent XSS in an authenticated surface.
Medium ($100–$250)
Reflected XSS, CSRF on state-changing endpoints, sensitive information disclosure (e.g. internal IDs that enable enumeration), authorization issues on lower-risk surfaces.
Low ($50–$100)
Lower-impact information disclosure, security misconfigurations with limited exploitability, rate-limit bypasses without follow-on impact.

How to report

Email security@trymumm.com with a clear write-up: what you found, how to reproduce it, what an attacker could do, and any suggested remediation. PGP welcomed; key fingerprint published on the same email address.

We acknowledge every report within one business day and aim to triage within three. You will hear from a real person, not an autoresponder.

Safe harbor

We will not pursue legal action against good-faith security research that respects this policy. Make a reasonable effort to avoid privacy violations, data destruction, and service disruption. If in doubt, ask before testing.

Use only test accounts you create yourself. Do not access, modify, or download other users' data. If you incidentally come across user data, stop immediately and report it.