Security Disclosure Policy

Security Disclosure Policy

Last Updated: March 15, 2025 This Security Disclosure Policy is published by Muvr Technologies, Inc. and its affiliates (“Muvr,” “we,” “us,” or “our”) and describes how to responsibly report security vulnerabilities affecting our websites, mobile applications, APIs, and related services (collectively, the “Platform”). We appreciate the work of security researchers and the community in helping us keep the Platform safe. This policy is designed to encourage responsible reporting and to protect users, researchers, and Muvr.

1) Scope

This policy applies to security vulnerabilities in:
  • the Platform (websites, mobile apps, and related services)
  • Muvr owned domains and subdomains
  • Muvr APIs and integrations (if publicly accessible)
  • systems and services directly operated by Muvr
This policy does not apply to:
  • third party services that integrate with the Platform but are not operated by Muvr (those should be reported to the third party)
  • social engineering attacks (for example, phishing Muvr employees or contractors)
  • physical security issues at facilities not operated by Muvr
  • issues in user devices, networks, or email providers outside Muvr’s control

2) How to report a security issue

If you believe you have discovered a vulnerability, report it promptly and privately. Submit a report through the security contact method listed on our website or through Support with “Security Disclosure” in the subject line. If we provide a dedicated security email address or form on our website, that method should be used. Your report should include:
  • a clear description of the issue and why it is a security risk
  • the affected product area (web, iOS, Android, API, etc.)
  • steps to reproduce (proof of concept when helpful)
  • the potential impact (what an attacker could do)
  • any relevant logs, screenshots, or videos (do not include sensitive personal data unless necessary)
  • your contact information for follow up questions
If you are reporting an account specific issue, do not send passwords. If you include test account details, use a newly created test account where possible.

3) Safe harbor for good faith security research

We will not pursue legal action against you for security research that is:
  • conducted in good faith
  • focused on finding and reporting vulnerabilities
  • consistent with this policy
  • not intended to harm users or disrupt services
This safe harbor does not apply to actions that are unlawful, malicious, or outside this policy, including theft of data, extortion, or disruption of service.

4) Rules for responsible testing

When testing or researching, you agree to:
  • Avoid privacy violations: Do not access, view, download, copy, alter, or delete data belonging to others. If limited access to data is unavoidable to demonstrate impact, stop immediately and include only the minimum necessary evidence in your report.
  • Avoid service disruption: Do not run denial of service tests, automated flooding, brute force attempts, or other activity that degrades the Platform.
  • Use minimal testing: Use the minimum amount of traffic and actions necessary to confirm a vulnerability.
  • No persistence: Do not install backdoors, create persistence, or maintain unauthorized access.
  • No lateral movement: Do not attempt to access internal systems or accounts you do not own or control.
  • Respect boundaries: Do not test third party systems or services that are outside the scope.
  • No social engineering: Do not phish, vish, or otherwise target employees, providers, or users for credentials or access.
  • No extortion: Do not demand payment in exchange for reporting or withholding a vulnerability.

5) What not to include in reports

To protect user privacy and security, do not include:
  • full payment card numbers
  • government identifiers unless strictly necessary
  • sensitive personal information of any user
  • large data dumps
  • private keys, credential lists, or stolen access tokens
If you inadvertently obtain sensitive information, stop immediately, secure it, and tell us what happened. Do not share it with anyone else.

6) Coordinated disclosure and public discussion

We ask that you:
  • keep the vulnerability confidential until we have had a reasonable opportunity to investigate and remediate
  • avoid public disclosure of technical details or proof of concept code that would increase risk before a fix is available
If you want to publish research, contact us first so we can coordinate timing. We may request a reasonable delay to protect users, consistent with industry practices. We may disclose limited information about vulnerabilities to users, regulators, or partners where appropriate, including for transparency or compliance, while protecting security sensitive details.

7) Response process

After you submit a report, we may:
  • acknowledge receipt
  • ask clarifying questions or request additional evidence
  • assess severity and prioritize remediation
  • implement mitigations or fixes
  • notify affected users or parties where required by law or appropriate for safety and trust
We do not guarantee specific timelines, but we aim to address high impact issues affecting core systems as quickly as reasonably practicable.

8) Rewards and bug bounties

If we operate a bug bounty or reward program, it will be described on our website with eligibility requirements and rules. If we do not operate a bounty program, we may still, at our discretion, recognize or thank researchers who provide high quality reports. Nothing in this policy creates an obligation to pay rewards.

9) Disqualification and enforcement

This policy does not protect you if you:
  • intentionally access or exfiltrate user data
  • disrupt services or degrade system performance
  • use a vulnerability to cause harm
  • engage in extortion, ransom demands, or threats
  • violate applicable law
  • test outside the scope listed in this policy
We may refer conduct that appears malicious or unlawful to law enforcement.

10) No waiver; reserved rights

We reserve the right to:
  • investigate reported issues and validate findings
  • determine scope and severity in our discretion
  • take action to protect the Platform, users, and our systems
  • request that you stop testing if we believe it creates risk
Failure to enforce this policy in one instance does not waive our right to enforce it in the future.

11) Updates

We may update this policy from time to time. Updates will be reflected by the “Last Updated” date above.

12) Contact

Report security issues through the security contact method listed on our website or through Support with “Security Disclosure” in the subject line.
Book Now Call Text