Last updated: November 26, 2024
1. Introduction
At Minut, we are committed to ensuring the security and privacy of our devices and services. We believe in the power of collaboration with the security research community to identify and address potential vulnerabilities. Our Bug Bounty Program is designed to reward security researchers for their efforts in discovering and responsibly reporting security issues.
2. Scope
This program covers all our devices, mobile and web applications, and cloud services unless explicitly excluded below.
Specifically, the scope includes:
- M3 (Gen 3) Sensor
- M2 (Gen 2, formerly Point 2) Sensor
- Minut app on iOS and Android
- Minut web app
- Minut API
- Minut web store
The following devices are excluded:
- M1 (Gen 1, formerly Point) Sensor
3. Eligibility
To participate in our Bug Bounty Program, you must:
- Be at least 18 years old
- Must not currently be, nor have ever been, an employee or contractor of Minut, Inc. or its subsidiaries, nor collaborate with anyone who currently is or has been.
- Not reside in a country subject to U.S. or EU sanctions
- Agree to our bug bounty program policy (this document)
4. Submission Process
To submit a vulnerability report:
- Identify a security issue within our scope
- Document the issue clearly, including steps to reproduce
- Reach out to vulnreports@minut.com to coordinate a secure delivery of your report.
- Do not disclose the issue publicly until we've had a chance to address it. This normally means 90 days from when a detailed, reproducible report has been delivered to Minut, although exceptions may be made on a case-by-case basis.
5. Reward Structure
Rewards are based on the severity and impact of the reported issue. We reserve the right to decide the size of the reward (if any). Our general reward structure is as follows:
| Severity |
Reward Range |
| Critical |
$5,000 - $10,000 |
| High |
$2,000 - $4,999 |
| Medium |
$500 - $1,999 |
| Low |
$100 - $499 |
6. Legal Safe Harbor
We will not pursue legal action against researchers who:
- Comply with this policy
- Make a good-faith effort to avoid privacy violations, data destruction, and service interruption
- Do not exploit vulnerabilities beyond the minimum necessary to demonstrate the issue
7. Out of Scope
The following are not eligible for rewards:
- Denial of Service attacks
- Social engineering attacks
- Physical attacks on our offices or data centers
- Vulnerabilities in third-party applications or websites
8. Response Timeline
We aim to respond to all submissions within 5 business days. Our typical timeline for addressing issues is:
- Initial response: Within 5 business days
- Triage and assessment: Within 10 business days
- Fix implementation: Varies based on complexity
- Reward issuance: Within 30 days of fix verification
9. Contact
For questions about this program, please get in touch with our security team at vulnreports@minut.com.
10. Updates to This Policy
We reserve the right to update this policy at any time. Any changes will be posted on this page with an updated revision date.
