We use cookies

We use cookies and similar technologies to operate the platform, analyse usage, and personalise your experience. Essential cookies are always active. You can manage optional cookies below. Learn more in our Privacy Policy

SECURITY POLICY

Responsible Disclosure

We take the security of the Mlinzi Cyber platform seriously. If you have discovered a vulnerability, we want to hear from you. This page explains how to report it, what to expect, and how we recognise your contribution.

Our Commitment to You

We will not take legal action

Provided you act in good faith and follow the guidelines on this page, we will not pursue legal action against you for discovering and reporting vulnerabilities.

We will respond promptly

You will receive an acknowledgment within 48 hours of your report. We will keep you informed of our progress and notify you when the issue is resolved.

We will credit your work

With your permission, we will publicly acknowledge your contribution in our security acknowledgments. Verified reports from students are used as case studies in future cohorts.

Scope

In Scope

  • mlinizicyber.com and all subdomains
  • The Mlinzi Cyber web application and API
  • Authentication and session management
  • Payment and subscription flows
  • User data handling and storage
  • Certificate generation and verification

Out of Scope

  • Social engineering attacks against staff or users
  • Physical security of infrastructure
  • Denial of service (DoS/DDoS) attacks
  • Automated scanning without prior permission
  • Attacks on third-party services (Stripe, Cloudflare, etc.)
  • Issues in software not controlled by Mlinzi Cyber

Severity Levels and Response Times

SeverityExamplesInitial Response
CriticalRemote code execution, authentication bypass, full database access, or mass data exfiltration.24 hours
HighPrivilege escalation, significant data exposure, or bypass of core security controls.72 hours
MediumCross-site scripting (XSS), CSRF, insecure direct object references, or missing security headers.7 days
LowInformation disclosure, minor misconfigurations, or issues with limited security impact.14 days

Reporting Guidelines

When testing for vulnerabilities, please act in good faith. Do not access, modify, or delete data that does not belong to you. Use a test account where possible. If you accidentally access data belonging to another user, stop immediately and include this in your report so we can assess the impact.

Please do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate it. We ask for a minimum of 90 days from the date of your report before any public disclosure. We will work with you on the timing and content of any disclosure.

Automated scanning tools that generate high volumes of requests are not permitted without prior written permission. If you wish to conduct automated testing, contact us first at [email protected] to arrange a testing window.

How to Report

Email your report to

[email protected]

Use the subject line: [Security Report] Brief description

Security Acknowledgments

We thank the following individuals for responsibly disclosing security issues and helping make the platform safer for all learners.

ResearcherFindingDateStatus
Mozambique Banking Cohort Student5 missing HTTP security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)March 2026Fixed
Want to appear here? Submit a verified security report to [email protected]