Security

Vulnerability Disclosure Policy

Help us keep Magia Menu secure

Back to Security

Safe Harbor

We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, following this policy. We consider security research conducted in accordance with this policy to be authorized, and we will work with you to understand and resolve the issue quickly.

How to Report

If you believe you've found a security vulnerability, please report it to us:

Email

magiamenu@gmail.com

Subject

Security Vulnerability: [Brief Description]

Please include: vulnerability description, steps to reproduce, potential impact, and any proof-of-concept code.

Response Timeline

Initial acknowledgment within 48 hours

Critical

Target fix: 7 days

High

Target fix: 30 days

Medium

Target fix: 90 days

Low

Target fix: 180 days

In Scope

  • *.magia.menu domains
  • Magia Menu mobile application
  • API endpoints (api.magia.menu)
  • Authentication and authorization flaws
  • Data exposure vulnerabilities
  • Injection vulnerabilities (SQL, XSS, etc.)

Out of Scope

  • Denial of Service (DoS/DDoS) attacks
  • Social engineering attacks
  • Physical attacks on infrastructure
  • Third-party services and integrations
  • Vulnerabilities requiring physical access
  • Spam or phishing attempts
Responsible Disclosure Guidelines
1
Do not access, modify, or delete data that doesn't belong to you
2
Do not degrade the performance or availability of our services
3
Do not publicly disclose the vulnerability before we've had time to fix it
4
Provide sufficient detail to reproduce the vulnerability
5
Act in good faith to avoid privacy violations and data destruction

Recognition

We appreciate security researchers who help us improve our security. With your permission, we'll acknowledge your contribution on our security page.

Hall of Fame

We thank the security researchers who helped make Magia Menu safer. With their permission, we publicly recognize their contributions here.

Anonymous researcher

April 2026

Public exposure of staging API structure and inconsistent access control for menu URLs.

Found a Vulnerability?

Report it responsibly and help us keep Magia Menu secure

Report Vulnerability