Security

What this page is

• A public point of reference for security reporting and coordinated disclosure.
• A high-level description of the safeguards we design for and operate.

What this page is not

• A guarantee that vulnerabilities will never exist.
• A substitute for user-side security hygiene.

If you believe you found a vulnerability

Use our reporting portal. We will review good-faith reports and work to resolve confirmed issues.

What to include

• Affected surface (web, API, iOS) and URL(s) or endpoint(s)
• Steps to reproduce
• Expected vs actual behavior
• Security impact and why it matters
• Proof-of-concept (if safe) and relevant logs (optional)

What not to include

• Passwords, private keys, access tokens, or secrets
• Personal data of other users (minimize data exposure and stop once impact is demonstrated)
• Exploit code designed for broad misuse

Response expectations

We aim to:

• Acknowledge receipt within 2 business days
• Provide an initial triage assessment within 7 business days
• Keep you reasonably updated on status for confirmed, in-scope issues

These targets may vary depending on severity, complexity, and operational constraints.

Safe harbor for good-faith research

We will not initiate legal action against you for security research that:

• Is performed in good faith
• Is limited to in-scope targets
• Avoids privacy violations and service disruption
• Adheres to the rules of engagement below
• Is promptly reported to Mor

This safe harbor does not apply to:

• Extortion, ransom demands, or threats
• Attempts to access data beyond what is necessary to demonstrate impact
• Actions intended to harm users, degrade service, or compromise system integrity

Rules of engagement

You agree to:

• Avoid denial-of-service (DoS), automated high-volume scanning, or load testing
• Avoid social engineering, phishing, or physical attacks
• Use only accounts you own or have explicit permission to use
• Stop testing once you have demonstrated a vulnerability and impact
• Minimize data exposure and do not retain data you access
• Give Mor a reasonable opportunity to remediate before public disclosure

In-scope targets

The following are generally in scope:

• themorapp.com and subdomains controlled by Mor
• Mor web applications and APIs served from Mor-controlled domains
• Official Mor mobile applications published by Mor

Out-of-scope (examples)

The following are out of scope:

• Issues requiring physical access to a device you do not own
• Social engineering or third-party compromise (vendors, users, ISPs)
• Spam, content complaints, and policy disputes (use /report for safety concerns)
• Reports that only describe missing best practices without a demonstrable security impact
• Denial-of-service testing or volumetric attacks

Severity and remediation

We prioritize remediation based on impact and exploitability. For confirmed in-scope vulnerabilities, we aim to remediate within a reasonable timeframe aligned to severity and operational constraints.

Coordinated disclosure

We ask that you:

• Allow us time to investigate and fix before publishing details
• Coordinate timing of any public disclosure with us when possible

Bug bounty

Mor does not promise monetary rewards. We may, at our discretion, offer acknowledgements or other recognition.

Principles

• Data minimization: collect and retain only what we need to operate the service
• Least privilege: limit access to systems and data based on role and necessity
• Defense in depth: multiple layers of protection across identity, application, and infrastructure

Encryption

• Data in transit is protected using industry-standard transport encryption (e.g., TLS).
• We aim to protect sensitive data at rest using appropriate safeguards based on system design and provider capabilities.

Specific details may vary by component and may change over time as infrastructure evolves.

Identity and access

• Access to production systems is restricted to authorized personnel.
• We use role-based controls and strive to audit administrative access.

Monitoring and logging

• We monitor for anomalies and operational errors.
• Security-relevant events may be logged for investigation and reliability purposes.

Secure development

• We aim to apply secure coding practices, review changes that affect security boundaries, and patch dependencies as appropriate.

We do not publish implementation-sensitive details that would increase attacker advantage.