MIMHO Security Policy

How to report

Email us at security@mimho.com.br with a clear description, reproduction steps, affected pages/contracts, and any proof-of-concept (PoC).

• Subject: [MIMHO SECURITY] Short title
• Include: chain, contract, function, and transaction examples (if any)
• If urgent/exploitable, mark as CRITICAL

What is in scope

This policy covers vulnerabilities that could impact users, funds, or integrity of the MIMHO ecosystem.

• Official website: mimho.io and its pages
• Smart contracts officially published/linked by MIMHO
• Wallet connect flows, UI security issues, phishing vectors
• Infrastructure configs directly controlled by MIMHO (e.g., DNS, redirects)

What is not in scope

We may still reply, but the items below typically do not qualify as security vulnerabilities.

• Issues in third-party sites/services not controlled by MIMHO
• Social engineering of individuals
• Spam, rate limiting suggestions, or best-practice-only reports
• Reports without reproducible steps

Responsible research

If you act in good faith, avoid user harm, and give us time to respond, we consider your research helpful. Please do not exploit vulnerabilities beyond what is necessary to prove impact.

• Do not access or modify user funds
• Do not degrade services (no DDoS/testing at scale)
• No public disclosure before mitigation

What happens after you report

We aim to acknowledge reports quickly and keep communication open with clear status updates.

• Acknowledgement: usually within 72 hours
• Triage & validation: severity and reproducibility check
• Mitigation plan: patch, upgrade, or operational response
• Public note (if needed) after mitigation

Anti-phishing notice

MIMHO will never ask for your seed phrase or private keys. Always verify you are on the official domain and use official contract addresses only.

If you spot fake tokens or cloned websites, email security@mimho.com.br immediately.