Security & Vulnerability‑Disclosure Policy

Effective Date: 30 July 2025
Last Updated: 30 July 2025

The Minds Journal, operated by Minds Journal Private Limited, is committed to protecting the confidentiality, integrity, and availability of the data and systems used across its digital platforms.

This Security & Vulnerability Disclosure Policy explains our general security posture and provides guidance for security researchers or responsible reporters who wish to disclose potential vulnerabilities affecting our websites, subdomains, community platforms, and related services.

The official website of The Minds Journal is themindsjournal.com.

For more about our platform, mission, and publishing ecosystem, please visit About The Minds Journal.

Security at a Glance

  • We use layered security controls across our digital services.
  • We encourage responsible, good-faith vulnerability reporting.
  • Researchers who follow this policy may qualify for safe-harbor treatment.
  • Vulnerability reports should be sent to [email protected].
  • A security contact file may be available at /.well-known/security.txt.
  • Critical incidents may trigger user notification where required by applicable law.

1. Who We Are

The Minds Journal is a global digital publishing platform focused on mental health, psychology, relationships, emotional wellness, and personal growth. It is operated by Minds Journal Private Limited.

This Policy applies to security issues affecting digital services operated by Minds Journal Private Limited, which may include:

  • themindsjournal.com
  • MindTalk Hub at community.themindsjournal.com
  • related websites and subdomains
  • mobile applications
  • publishing, community, and support services
  • other relevant digital systems operated by the company

2. Our Security Principles

We work to protect our systems and user data through layered security practices and ongoing risk management.

Our security approach may include principles such as:

Defense in Depth

We use multiple overlapping controls designed to reduce risk, including measures such as web application protections, rate limiting, authentication controls, and system monitoring.

Least Privilege

Access to administrative systems, infrastructure, and sensitive data is limited based on role and operational need.

Encryption

We aim to protect data in transit and, where appropriate, sensitive data at rest using modern encryption practices.

Monitoring and Response

We use logging, monitoring, and alerting to help detect suspicious activity, abnormal behavior, and security incidents.

Secure Development Practices

We may use code review, dependency monitoring, patching, vulnerability scanning, and periodic security review as part of platform maintenance.

Your current draft already identifies defense-in-depth, least privilege, encryption, 24/7 monitoring, and secure SDLC practices as the core security principles.

3. Responsible Vulnerability Disclosure

We support a coordinated vulnerability disclosure approach.

If you believe you have found a security vulnerability affecting The Minds Journal or related systems operated by Minds Journal Private Limited, please report it responsibly.

How to Report

Please send reports to:

[email protected]

If available, our PGP key or additional reporting information may be referenced through:

https://themindsjournal.com/.well-known/security.txt

What to Include

To help us assess and respond efficiently, please include:

  • a clear description of the issue
  • affected URL, feature, endpoint, or system
  • steps to reproduce the issue
  • proof of concept where appropriate
  • impact assessment if known
  • your contact details for follow-up

Good-Faith Expectations

When reporting a vulnerability, please act in good faith and do not:

  • access, modify, or exfiltrate user data unnecessarily
  • make persistent changes to any account, data, or system
  • exploit the issue beyond what is reasonably necessary to demonstrate the problem
  • publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and respond

Your current draft already outlines a coordinated vulnerability disclosure model, email reporting, required details, and a good-faith expectation not to access, modify, or delete data.

4. Safe Harbor

Where a security researcher acts in good faith, follows this Policy, avoids privacy harm, and does not abuse the vulnerability, Minds Journal Private Limited generally intends not to pursue legal action solely for the act of reporting a valid in-scope vulnerability.

This safe-harbor approach is intended to support responsible security research and coordinated remediation.

This does not authorize actions that are illegal, destructive, privacy-invasive, or outside the reasonable scope of vulnerability verification.

Your current draft already includes a legal safe-harbor commitment where the policy is followed.

5. Response Timeline

We aim to respond to valid vulnerability reports within reasonable timeframes.

Target response windows may include:

  • Acknowledgement: within 24 hours
  • Initial assessment: within 3 business days
  • Mitigation or patch target: based on severity and complexity
  • Public disclosure timing: by mutual agreement after remediation, where applicable

Illustrative severity targets from our current framework include:

  • critical issues: approximately 15 business days
  • high severity: approximately 30 days
  • medium or lower severity: approximately 90 days

These are targets, not guarantees. If more time is needed, we may update the reporter with a revised timeline where appropriate.

Your current draft already sets these target SLAs and notes that revised timelines may be communicated if needed.

6. Out of Scope Testing

Some activities are not authorized under this Policy and may be treated as out of scope.

These include, for example:

  • automated brute-force attacks without prior authorization
  • denial-of-service testing or load-based service degradation
  • social engineering of employees, users, or contractors
  • spam-style mass exploitation
  • testing unrelated third-party systems not controlled by us
  • reporting minor issues without a realistic security impact or exploit path

Examples of lower-priority or excluded findings in the current draft include certain misconfigurations or non-exploitable issues such as missing DNSSEC, clickjacking on non-sensitive pages, or outdated third-party libraries without an exploitable path.

7. Rewards and Recognition

We may choose to recognize valid, in-scope, responsibly disclosed vulnerabilities through non-monetary acknowledgment, such as a security hall of fame or similar recognition, where implemented and where the reporter opts in.

Monetary bounty programs, if introduced in the future, will be governed by separate program terms.

Your current draft references opt-in hall-of-fame recognition and a planned future bug bounty model.

8. Incident Response and User Notification

If a significant security incident occurs, we may activate our internal incident response procedures.

Depending on the nature of the incident and applicable law, this may include:

  • containment and mitigation
  • forensic investigation
  • service hardening
  • notification to affected users
  • reporting to regulators or authorities where required
  • publication of a security bulletin or post-incident summary where appropriate

Where a data breach or critical incident triggers a legal notification obligation, users may be notified within the timeframe required by applicable law.

Your current draft already provides for incident response, multidisciplinary handling, 72-hour user notification where required, and post-mortem or bulletin publication.

9. Contact Information

For vulnerability disclosure or security-related questions, contact:

Primary Email: [email protected]

Security Contact File:
https://themindsjournal.com/.well-known/security.txt

Postal Address:
Chief Information Security Officer
Minds Journal Private Limited
Module 18, Floor 14, Bengal Eco Intelligent Park, EM 3, Sector 5, Salt Lake City, Kolkata 700091, India

Your current draft already includes the legal email, security.txt reference, and postal contact path.

10. Policy Updates

We may revise this Security & Vulnerability Disclosure Policy from time to time to reflect changes in our systems, legal requirements, reporting processes, or security practices.

Where material changes are made, we may publish notice in advance through our website or related policy channels.

The “Last Updated” date at the top of this page reflects the latest revision.

Your current draft already states that material changes may be posted in advance.

11. Data Retention and Deletion

Our broader privacy and compliance framework may include a Data Retention & Deletion Schedule that explains how long different categories of data are retained, why they are retained, and how deletion or anonymization is handled when retention periods expire.

This may include categories such as:

  • account profile data
  • authentication logs
  • user-generated content
  • payment and billing records
  • support tickets
  • moderation records
  • analytics logs
  • incident and security logs
  • backup snapshots

User-initiated deletion requests may be handled through account tools or privacy request channels, subject to verification, retention obligations, fraud-prevention needs, legal holds, and backup retention windows.

Your uploaded text already contains a full Data Retention & Deletion Schedule covering retention principles, a retention matrix, user deletion workflow, legal-hold exceptions, and review cycles.

About The Minds Journal

The Minds Journal is the flagship digital publishing platform of Minds Journal Private Limited, focused on mental health, psychology, relationships, emotional wellness, and personal growth.

Our broader ecosystem also includes MindTalk Hub, Mind Help, Mind Family, and CosmicCalling.com.

Learn more on our About The Minds Journal page.

Frequently Asked Questions

What is The Minds Journal Security Policy?

The Minds Journal Security Policy explains the security principles, vulnerability disclosure process, reporting expectations, and response approach used by Minds Journal Private Limited across its digital services.

Who operates The Minds Journal?

The Minds Journal is operated by Minds Journal Private Limited.

How do I report a security vulnerability to The Minds Journal?

You can report a suspected vulnerability by emailing [email protected] and including enough detail for review and reproduction.

Does The Minds Journal have a responsible disclosure policy?

Yes. The Minds Journal follows a coordinated vulnerability disclosure approach and encourages good-faith security reporting.

Does The Minds Journal offer safe harbor for good-faith reporting?

Yes. Where researchers follow the policy, avoid harm, and act responsibly, Minds Journal Private Limited generally intends not to pursue legal action solely for reporting an in-scope vulnerability.

Does this policy apply to MindTalk Hub and related services?

Yes. This policy may apply to The Minds Journal websites, subdomains, community platforms such as MindTalk Hub, and related digital services operated by Minds Journal Private Limited.