Responsible Disclosure
Last updated on January 16, 2026Last reviewed on January 16, 2026At Mintlify, we care deeply about the safety and security of our customer's data. We greatly value inputs from our community that can help us detect vulnerabilities in our product and services.
How to report an issue
If you have discovered an issue or vulnerability that is in-scope (see below), please send an email to security@mintlify.com with the following details.
- A summary of the vulnerability and potential impact
- Steps to reproduce the issue, including screenshots
- Details of your environment including OS, browser, and device details
- If possible, proof-of-concept code to exploit the vulnerability
Upon receiving your email, our team will conduct an investigation. We will update you on our progress, and may request further details, or retesting of the finding if needed.
All original reports will be considered, and bounties may be issued at our sole discretion.
In scope
- https://mintlify.com/docs
- https://dashboard.mintlify.com
- https://leaves.mintlify.com
- Mintlify GitHub apps
- Vulnerabilities which apply to Mintlify's hosted documentation and customers' documentation. Do not attempt to reproduce or exploit these vulnerabilities on customer documentation without express permission and communication from the customer and Mintlify teams.
Out-of-scope
- Automated scanning
- Social engineering, particularly involving Mintlify employees
- Missing or insufficient rate limiting
- Missing headers in responses, except in cases where material harm or exploitation is evident
- Brute force attacks
- DDOS attacks
- Clickjacking on pages with no sensitive actions
- Theoretical attacks without proof of exploitability
- Attacks requiring physical access to a victim's device
- Attacks requiring interceptin of a valid user's network traffic
- Denial of service attacks
We kindly ask you
- Test the vulnerability on your own account. If testing on another account, make sure to have requested explicit permission
- Do not copy or destroy production data
- Do not engage in activities that will cause downtime for our services
- Avoid violations to our privacy policies, terms of service, and other data privacy regulation
- Do not make the vulnerability public before reporting it to us via the procedures above, and giving us enough time to properly address the issue
Report Format
- Reports must be made to security@mintlify.com
- Reports must include a summary of the vulnerability and potential impact, including a calculated CVSS score and how you arrived at that score
- Reports must include steps to reproduce the issue, including screenshots. Video-only recordings are insufficient
- Reports must include details of your environment including OS, browser, and device details
- Reports must include proof-of-concept code or any payloads used to exploit the vulnerability
Risk Assessment and Bounties
- Risk assessment and bounties will be determined on a case-by-case basis by our security team, leveraging the CVSS v3 and v4 scoring system with internal knowledge of our systems to accurately inform the assessment
- Previous bounty amounts, from Mintlify or other bug bounty programs, are not to be considered precedent when determining bounty amounts
- Bounty amounts and payments, if any, are subject to change at our sole discretion, and will be communicated to you via email or Slack
- Bounties will be paid in US dollars, via Paypal Goods & Services
- Bounties will be paid out within 30 days of the vulnerability being retested and remediation confirmed
Happy hacking, from the Mintlify Team 💚