Vulnerability Disclosure & Security Policy

Legal
Cookie Policy
Feedback Policy
Privacy Policy
Terms of Use (Digital Services)
Vulnerability Disclosure & Security Policy

Vulnerability Disclosure & Security Policy

Last Updated: Mar 02, 2026   Version: 1

Mindstate Psychology welcomes good-faith reports of security vulnerabilities in our website, Mindstate Learning platform, and internal applications — please send any findings to cyber.security@mindstatepsychology.com.au. Researchers who report responsibly and allow us reasonable time to remediate before public disclosure are protected under our safe harbour commitment.

Introduction

Mindstate Psychology Pty Ltd is committed to protecting the security and privacy of our clients, staff, and partners. We recognise that the security research community plays an important role in helping organisations identify and address vulnerabilities.

This policy sets out how we handle vulnerability reports, what systems are in scope, andthe protections available to researchers who act in good faith.

Scope

The followingsystems are in scope for vulnerability disclosure:

  • Mindstate Psychology website(mindstatepsychology.com.au)
  • Mindstate Learning platform(mindstatelearning.com.au)
  • Internal web applications and tools operated byMindstate Psychology
  • Mindstate Psychology public-facing services

 The following are explicitly out of scope. Please do not test or report vulnerabilities against these systems:

  • Third-party services and platforms used byMindstate Psychology, including Zanda Health (client portal), Microsoft 365,Front, and any other vendor-operated systems — please report vulnerabilities inthese directly to the respective vendor
  • Social engineering attacks targeting MindstatePsychology staff, clients, or contractors
  • Physical security of Mindstate Psychologypremises or equipment
  • Denial-of-service (DoS/DDoS) attacks
  • Automated scanning of production systems withoutprior written approval

Any actionsagainst out-of-scope services are not covered by our safe harbour commitment. Mindstate Psychology reserves the right to take action against individuals who exceed the bounds of this policy.

 Reporting a Vulnerability

If you discover a potential vulnerability in any in-scopesystem, please report it to us as soon as possible by emailing: cyber.security@mindstatepsychology.com.au. To help us investigate and resolve the issue efficiently, please provide:

  • A clear description of the vulnerability and the potential impact
  • The system or URL affected
  • Step-by-step instructions to reproduce the issue
  • Any proof-of-concept code, screenshots, orsupporting material
  • Your contact details (optional, but helpful forfollow-up)

If your report contains sensitive details, please indicatethis in your email and we will arrange a secure channel for informationexchange.

 Our Commitment to Security Researchers

When you report a vulnerability in accordance with thispolicy, Mindstate Psychology commits to:

  • Acknowledging receipt of your report within 3 business days
  • Providing an initial assessment and expected resolution timeline within 10 business days
  • Keeping you informed of our progress throughout the investigation
  • Notifying you when the vulnerability has been remediated
  • Crediting your contribution (with your consent) if you wish to be acknowledged

 Safe Harbour

Mindstate Psychology will not pursue civil or criminal actionagainst researchers who:

  • Discover and report vulnerabilities in good faith, inaccordance with this policy
  • Avoid accessing, modifying, or deleting data beyond what isnecessary to demonstrate the vulnerability
  • Do not disclose the vulnerability publicly before we have hada reasonable opportunity to remediate it
  • Do not exploit the vulnerability for personal gain or causeharm to Mindstate Psychology, its clients, or staff

We ask that you act in good faith and give us the opportunityto address the issue before any public disclosure. We will work with you ingood faith in return.

 Responsible Disclosure

We follow a coordinated disclosure model. We ask that researchers:

  • Allow us a reasonable period (typically 90 days)to investigate and remediate reported issues before any public disclosure
  • Contact us before publicly sharing details ofany vulnerability
  • Not access or modify data beyond what isnecessary to confirm the vulnerability exists

If you believe we are not responding in a reasonable timeframe, please follow up via the contact address above.

 Privacy of Reporter Information

Any personal information provided in a vulnerability report will be used solely for the purpose of investigating and resolving the reported issue. It will be handledin accordance with the Privacy Act 1988 (Cth) and our Privacy Policy.

Contact

For questionsabout this policy or to submit a report:

  • Email: cyber.security@mindstatepsychology.com.au
  • Website: www.mindstatepsychology.com.au