At Milanote, we take responsible vulnerability disclosure seriously. Milanote does not operate a formal public bug bounty program. However, we review security reports submitted in good faith and may, at our sole discretion, offer a modest discretionary reward for qualifying findings.
How to Report a Vulnerability
Please send reports to: security@milanote.com
A valid report should include:
A clear description of the issue
Affected production environment
Step-by-step reproduction instructions
Working proof-of-concept demonstrating real security impact
Relevant screenshots, HTTP requests/responses, or logs
Reports must be submitted privately and must not be publicly disclosed without prior coordination.
Reports that do not demonstrate reproducible, material security impact may be closed without a detailed response.
Submit one materially distinct vulnerability per email.
If multiple endpoints or flows share the same root cause, consolidate them into a single report.
Responsible Reporting (Safe Harbour)
Researchers must:
Act in good faith
Avoid privacy violations, data manipulation, or service disruption
Access only accounts created for testing
Not leverage findings for financial gain outside this process
Testing must not involve social engineering, phishing, denial of service, physical security attacks, or testing against accounts not controlled by the researcher.
Good-faith research conducted under these terms will not result in legal action.
Eligibility for Discretionary Rewards
Milanote may, at its sole discretion, offer a modest discretionary reward for validated vulnerabilities that:
Were previously unknown to Milanote at the time of report
Represent a materially distinct root cause
Demonstrate clear, reproducible high-severity impact
Are not variations or re-demonstrations of an existing or previously identified issue
Rewards are discretionary, not guaranteed, and determined case-by-case based on demonstrated exploitability and impact.
Milanote’s determination of severity, prior knowledge, impact, and distinctness is final.
Severity Assessment
We reference industry-standard frameworks, including the Bugcrowd Vulnerability Rating Taxonomy (VRT).
Only vulnerabilities assessed as high severity or above, with demonstrated material impact, are typically considered for discretionary rewards.
Severity classification alone does not guarantee eligibility.
Grouping of Related Findings
Reports deriving from the same root cause, vulnerability class, architectural pattern, or access control weakness are treated as a single finding.
Distinct endpoints, parameters, API versions, user flows, or exploitation techniques do not automatically constitute materially distinct vulnerabilities if they stem from the same root cause.
This includes:
The same access control flaw affecting multiple endpoints
The same authentication, session, or token validation weakness across flows
Repeated instances of the same business logic issue
Variations of the same misconfiguration pattern
Multiple affected endpoints or flows do not increase reward eligibility.
Milanote determines, in its sole discretion, whether a report is materially distinct or a variation of an existing issue.
In Scope
We prioritise vulnerabilities demonstrating material, real-world impact in production systems, including:
Unauthorised access to another user’s account or data
Cross-account data exposure
Authentication bypass or account takeover
Privilege escalation
Access control bypass of sensitive functionality
Remote code execution
Exposure of sensitive data with demonstrable risk
Denial of Service
Reports must include a working proof-of-concept and demonstrate practical exploitability.
Out of Scope
Best-Practice & Hardening Observations
Missing security headers, cookie flags, CORS configuration, or TLS preferences
Token lifetime, rotation, or session management recommendations without demonstrated exploit path
Configuration improvements without material security impact
Theoretical or Low-Impact Findings
OAuth, authentication, token, or session observations that do not demonstrate reproducible compromise of another user account, cross-account access, or material access control bypass
Clickjacking unless a working exploit demonstrates account takeover or sensitive action execution
Open redirects without additional demonstrated security impact
CSRF without meaningful state change
Rate limiting or brute-force observations without demonstrated account compromise
Self-XSS or issues requiring users to execute code
Informational disclosures (e.g. verbose errors, version exposure)
UI behaviours without security consequence
Issues requiring unrealistic or contrived user interaction
Duplicate or Variant Reports
Multiple endpoints affected by the same underlying weakness
Variations or enumerations of a previously identified issue
Reports stemming from a previously identified or remediated root cause
Submissions lacking sufficient reproduction detail
Publicly disclosed CVEs or third-party scanner findings, unless a verified exploit demonstrates material impact in Milanote’s production environment
Response Expectations
Reports are reviewed alongside broader engineering priorities. No response timeframe is guaranteed.
High-impact vulnerabilities are prioritised. Reports outside scope or eligibility criteria may be closed without extended correspondence.
Public Disclosure
We request reasonable time for investigation and remediation before public disclosure.
Important Notes
Rewards are discretionary and not guaranteed.
Milanote may modify this policy at any time.
This is not a formal sustained bug bounty program.