Security & Responsible Disclosure

Last updated: October 1, 2025

Our commitment to security, vulnerability reporting procedures, and responsible disclosure guidelines.

1) Our Security Commitment

At Mamba Host, security is fundamental to everything we do. We are committed to:

  • Protecting customer data and infrastructure with industry-leading security practices
  • Maintaining transparent communication about security matters
  • Working collaboratively with security researchers to identify and fix vulnerabilities
  • Continuously improving our security posture through testing and updates
  • Responding promptly and professionally to security reports

2) Reporting Security Vulnerabilities

We welcome reports of potential security vulnerabilities in our systems, applications, and infrastructure. If you discover a security issue, please report it responsibly.

How to Report:

Security Team Contact
Email: security@mambahost.com
PGP Key: Available at /security.txt
Subject: "Security Vulnerability Report"

What to Include:

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and affected systems
  • Any proof-of-concept code or screenshots (if applicable)
  • Your contact information for follow-up
  • Whether you plan to publicly disclose (and when)

3) Scope of Program

In Scope:

  • Mamba Host websites (mambahost.com, *.mambahost.com)
  • Control panel (panel.mambahost.com)
  • API endpoints (api.mambahost.com)
  • Customer-facing infrastructure and applications
  • Authentication and authorization systems
  • Payment processing workflows (excluding third-party processors)

Out of Scope:

  • Third-party services and integrations (report to them directly)
  • Customer game servers and VPS instances (customer responsibility)
  • Social engineering attacks against Mamba Host employees
  • Physical security of our datacenters (managed by facility providers)
  • Denial of service attacks
  • Issues requiring physical access to systems

4) Safe Harbor Provisions

We consider security research conducted in accordance with this policy to be:

  • Authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws
  • Lawful and we will not pursue legal action against you
  • Appreciated and we will work with you to understand and resolve issues

To qualify for safe harbor protection, you must:

  • Report vulnerabilities through proper channels (security@mambahost.com)
  • Not access, modify, or delete data belonging to others
  • Not degrade or disrupt our services or infrastructure
  • Not exploit vulnerabilities beyond what's necessary to demonstrate the issue
  • Give us reasonable time to address issues before public disclosure
  • Act in good faith to avoid privacy violations, data destruction, and service interruption

5) Response Timeline

We are committed to responding promptly to security reports:

  • Initial response: Within 24 hours (acknowledgment of receipt)
  • Triage & validation: Within 3 business days (severity assessment)
  • Status updates: Every 5 business days until resolution
  • Critical issues: Immediate escalation to senior engineering team
  • Resolution: Varies by severity (critical: 7 days target, high: 30 days, medium: 60 days, low: 90 days)

6) Severity Classification

We classify vulnerabilities using the following severity levels:

Critical:

  • Remote code execution on production systems
  • SQL injection leading to data exposure
  • Authentication bypass affecting all users
  • Mass data exposure or deletion

High:

  • Privilege escalation to admin level
  • Cross-site scripting (XSS) in sensitive contexts
  • CSRF leading to significant actions
  • Unauthorized access to customer data

Medium:

  • Information disclosure (limited scope)
  • CSRF in non-critical functions
  • Reflected XSS
  • Security misconfiguration with moderate impact

Low:

  • Minor information leaks
  • Missing security headers
  • Low-impact CSRF
  • Best practice violations

7) Coordinated Disclosure

We follow coordinated (responsible) disclosure principles:

  • 90-day disclosure window: We aim to resolve issues within 90 days of your report
  • Mutual communication: We'll keep you updated on progress and expected fix timeline
  • Public disclosure: We support public disclosure after fix deployment (with your consent)
  • Credit: We'll acknowledge your contribution (unless you prefer to remain anonymous)
  • Early disclosure: If you need to disclose before 90 days, please discuss with us first

For critical, actively exploited vulnerabilities, we may request accelerated disclosure to protect customers.

8) Recognition & Rewards

We deeply appreciate security researchers' contributions:

Security Hall of Fame:

  • Public acknowledgment on our website (with your permission)
  • Recognition in our security advisories
  • LinkedIn recommendation (if requested)

Swag & Rewards:

  • Critical vulnerabilities: $500 account credit + Mamba Host swag
  • High severity: $250 account credit + swag
  • Medium severity: $100 account credit + swag
  • Low severity: Public recognition + swag

Reward Eligibility:

  • First to report a unique, valid vulnerability
  • Clear, reproducible report with impact assessment
  • Following safe harbor guidelines
  • Not a duplicate of previously reported or known issues

Reward amounts are at our discretion based on severity, impact, and quality of report.

9) Prohibited Activities

The following activities are strictly prohibited and void safe harbor protections:

  • Denial of service (DoS/DDoS) testing
  • Physical attacks on facilities or equipment
  • Social engineering of employees, contractors, or customers
  • Accessing, modifying, or deleting other users' data
  • Intentionally degrading service quality or availability
  • Spamming or abusing rate limits
  • Brute force attacks on authentication systems
  • Testing on production customer data (use test accounts)
  • Public disclosure before coordinated timeline

10) Security Best Practices for Customers

We provide secure infrastructure, but customers share responsibility for security:

Account Security:

  • Use strong, unique passwords (15+ characters, mixed case, numbers, symbols)
  • Enable two-factor authentication (2FA) on your account
  • Never share account credentials
  • Review account activity logs regularly
  • Use API tokens instead of passwords where possible

Server Security:

  • Keep game servers and software up to date
  • Use strong passwords for in-game admin accounts
  • Configure firewalls to limit access to necessary ports only
  • Regularly review installed plugins/mods for security issues
  • Enable automatic backups for critical data

Data Protection:

  • Encrypt sensitive data before uploading to servers
  • Regularly backup important configurations and data
  • Be cautious about what data you collect from players
  • Comply with data protection laws (GDPR, CCPA, etc.)
  • Implement proper access controls for your team members

11) Incident Response

In the event of a security incident affecting Mamba Host systems:

  • Detection: Automated monitoring and alerting systems
  • Containment: Immediate isolation of affected systems
  • Investigation: Forensic analysis to determine scope and impact
  • Remediation: Patch vulnerabilities and restore service
  • Notification: Inform affected customers per DPA requirements
  • Post-mortem: Document lessons learned and improve processes

Critical incidents are posted to our status page and customers are notified via email within 72 hours.

12) Security Audits & Testing

We maintain proactive security practices:

  • Annual penetration testing: Third-party security firms
  • Continuous vulnerability scanning: Automated tools and manual review
  • Code reviews: Security-focused review of all code changes
  • Dependency monitoring: Automated alerts for vulnerable libraries
  • Compliance audits: SOC 2 Type II (in progress), PCI DSS where applicable

13) Security Contact & Resources

Multiple ways to reach our security team:

Security Team
Email: security@mambahost.com
PGP Fingerprint: [Available in security.txt]
Security.txt: /.well-known/security.txt
Status Page: status.mambahost.com

14) Security Transparency

We believe in transparency about security:

  • Security advisories: Published for significant vulnerabilities after fix deployment
  • Incident reports: Post-mortems for major security events
  • Hall of fame: Recognition of researchers who help secure our platform
  • Security updates: Regular blog posts about security improvements

15) Legal & Compliance

Our security program supports compliance with:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA/CPRA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • System and Organization Controls (SOC 2)
  • Industry best practices and security frameworks

16) Bug Bounty Program Expansion

We're exploring expansion of our security program:

  • Potential future partnership with bug bounty platforms
  • Expanded reward tiers for exceptional research
  • Private bug bounty program for vetted researchers

Stay tuned for announcements at mambahost.com/blog

17) Questions & Support

For questions about this policy or our security program:

18) Policy Updates

We may update this policy to reflect program changes, new practices, or legal requirements. Updates will be posted with an updated "Last updated" date. Material changes will be announced via our blog and security mailing list.

Related Policies