Security Policy & Vulnerability Disclosure

This page describes how to report security issues in Monolyn Labs products and what you can expect from us. For machine-readable contact discovery, see /.well-known/security.txt.

1. How to report a vulnerability

• Email: security@monolyn.nl
• Subject line: SECURITY: short summary

Please include (if available):

• Product name (e.g., iOS app name, or Atlassian Cloud app name)
• Version/build (or Marketplace app version)
• Steps to reproduce (clear and minimal)
• Expected vs actual behavior
• Proof-of-concept (PoC) and/or screenshots
• Impact assessment (what an attacker could do)

Please avoid: sending sensitive personal data, secrets, or production customer data. If you need to share sensitive material, request a secure channel first.

2. Response targets

• Acknowledgement: within 2 business days (best effort)
• Initial assessment / next steps: within 5 business days (best effort)
• Fix timelines vary based on severity and release constraints

3. Coordinated disclosure

We support coordinated vulnerability disclosure. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and release a fix or mitigation. We will communicate an ETA when possible.

4. Scope

This policy covers Monolyn Labs products, including:

• Monolyn Labs iOS apps published on the App Store
• Monolyn Labs Atlassian Cloud apps (e.g., Jira Cloud apps)

Note: Some Atlassian Cloud apps run on Atlassian Forge and operate within Atlassian’s hosting environment. If a product uses third-party services or external network calls, this is documented in the relevant product privacy policy.

5. Bug bounty

We do not currently run a public bug bounty program.

6. Contact

Security: security@monolyn.nl
Support: support@monolyn.nl