meilynx_

Security

Report a vulnerability.

We welcome reports from security researchers. If you've found a vulnerability in a Meilynx system, here's how to reach us, what's in scope, and our commitment to researchers acting in good faith.

How to report

Tell us what you found.

One inbox, monitored by our security team. Clear reports get faster fixes.

Email security@meilynx.com

Send a clear description of the issue, the affected asset or URL, and reproduction steps. Encrypt sensitive details if you prefer — ask and we'll share a key.

Give us time to fix it

Please don't publicly disclose or share a vulnerability until we've had a reasonable opportunity to remediate and confirm a fix with you.

Act in good faith

Only test against assets in scope below, access the minimum data necessary to demonstrate the issue, and never degrade service or other users' experience.
Safe harbor

Good-faith research is authorized.

We won't penalize researchers who play by the rules.

If you make a good-faith effort to comply with this policy during your research, we will consider your testing authorized, will not pursue or support legal action against you, and will work with you to understand and resolve the issue promptly. If a third party brings legal action against you for activity that complied with this policy, we will make this authorization known. This policy does not authorize actions that violate applicable law.

Scope

Where to look — and where not to.

Raw prompts and responses stay inside the customer's perimeter; the proxy itself is the asset we care most about.

In scope

  • www.meilynx.com and app.meilynx.com
  • The Meilynx proxy and control-plane APIs
  • Authentication, authorization, and tenant-isolation flows

Out of scope

  • Volumetric or denial-of-service testing of any kind
  • Social engineering, phishing, or physical attacks against Meilynx or its staff
  • Third-party platforms we use (e.g. our hosted Trust Center provider) — report those to the relevant vendor
  • Findings from automated scanners without a demonstrated, exploitable impact
What to expect

How we respond.

Acknowledgement

Within 3 business days

We'll confirm we received your report and assign it an owner on our security team.

Resolution

Triage & fix

We'll validate, prioritize by severity, and keep you updated through remediation. Timelines depend on impact and complexity.

Recognition

Credit, not bounty

We don't currently run a paid bounty, but with your permission we're glad to credit your responsible disclosure once a fix ships.
Diligence-ready

Looking for our security posture?

Live control status, our SOC 2 posture, and NDA-gated reports live in our Trust Center.

View live control statusTrust Center