In scope
- app.trymumm.com — the user-facing web app
- api.trymumm.com — the public REST API surface (per docs 30, 36)
- mcp.trymumm.com — the MCP server
- trymumm.com — the marketing site
- Any first-party Mumm package published to npm
Out of scope
- Findings exclusively against third-party providers (Stripe, Supabase, Anthropic, Twilio, Resend, Retell, etc.) — please report those upstream
- Best-practice issues without a demonstrable exploit (e.g. missing security headers on a marketing-only page, weak TLS cipher with no real-world impact)
- Denial-of-service via sheer volume; please do not attempt large-scale fuzzing or load testing
- Social engineering of Mumm staff or customers
- Physical security of Mumm offices or vendor data centers
- Reports generated solely by automated scanners with no manual validation
Rewards
Rewards are paid in USD via the same channel you prefer for invoices (typically PayPal or bank transfer). We reserve the right to scale rewards based on demonstrated impact, exploit reliability, and report quality.
- Critical ($1,000–$5,000)
- Account takeover without user interaction, payment manipulation, full PHI exfiltration, RCE on production infrastructure, broken multi-tenant isolation that exposes another user's data.
- High ($250–$1,000)
- Authentication bypass on a single account, partial PHI exposure, server-side request forgery touching internal services, persistent XSS in an authenticated surface.
- Medium ($100–$250)
- Reflected XSS, CSRF on state-changing endpoints, sensitive information disclosure (e.g. internal IDs that enable enumeration), authorization issues on lower-risk surfaces.
- Low ($50–$100)
- Lower-impact information disclosure, security misconfigurations with limited exploitability, rate-limit bypasses without follow-on impact.
How to report
Email security@trymumm.com with a clear write-up: what you found, how to reproduce it, what an attacker could do, and any suggested remediation. PGP welcomed; key fingerprint published on the same email address.
We acknowledge every report within one business day and aim to triage within three. You will hear from a real person, not an autoresponder.
Safe harbor
We will not pursue legal action against good-faith security research that respects this policy. Make a reasonable effort to avoid privacy violations, data destruction, and service disruption. If in doubt, ask before testing.
Use only test accounts you create yourself. Do not access, modify, or download other users' data. If you incidentally come across user data, stop immediately and report it.