Skawa Innovation Kft. takes the security of the mnrv.ai (Minerva) platform seriously. This page describes how to report a security vulnerability to us and what you can expect in return. It is published in support of our obligations under the EU Cyber Resilience Act (Regulation (EU) 2024/2847).
1. How to report a vulnerability
Please report suspected security vulnerabilities privately by email to info@mnrv.ai with the subject line SECURITY:.
Please do not open a public issue, post on social media, or otherwise disclose the vulnerability before we have had a reasonable opportunity to remediate it. We support encrypted communication on request — email us first and we will provide a key.
To help us triage quickly, please include where possible:
- a clear description of the issue and its potential impact;
- the affected product and version (app build number, web app, or backend endpoint);
- step-by-step reproduction instructions or a proof of concept;
- any logs, screenshots, or request/response captures (with secrets redacted);
- whether you believe the vulnerability is being actively exploited — this triggers an accelerated response on our side.
2. Products in scope
This policy covers the Minerva platform placed on the market:
- the Minerva iOS app (App Store / TestFlight);
- the Minerva Android app (Google Play);
- the Minerva web app at app.mnrv.ai; and
- the manufacturer-operated backend services these clients rely on.
Vulnerabilities in third-party platforms we build on (e.g. Google/Firebase, Meta, NAV Online Számla, Cloudflare) should be reported to their respective vendors. We will still act on any report whose impact reaches Minerva.
3. What you can expect from us
- We acknowledge receipt of your report within 3 business days.
- We complete an initial triage and severity assessment within 7 business days.
- We provide status updates at least every 14 days while we remediate.
- We fix confirmed high/critical issues as fast as reasonably possible; server-side fixes are deployed continuously.
For vulnerabilities we determine to be actively exploited, we follow the regulatory reporting timeline applicable to us, including an early warning to the relevant authority within 24 hours.
4. Coordinated disclosure
We practise coordinated disclosure. We will work with you on a disclosure timeline and credit you (if you wish) once a fix is available. Our default embargo is 90 days from the date we acknowledge a valid report, which may be shortened (active exploitation) or extended (complex fixes) by mutual agreement.
5. Safe harbour
We will not pursue or support legal action against researchers who:
- act in good faith and avoid privacy violations, data destruction, or service degradation;
- only interact with accounts they own or have explicit permission to test;
- give us a reasonable time to remediate before any public disclosure; and
- do not exfiltrate more data than necessary to demonstrate the issue.
This is not a paid bug-bounty programme. We are grateful for responsible reports and will acknowledge contributors at their request.
6. Security updates & support period
Minerva has a declared support period of 5 years from each major release, during which we handle vulnerabilities and provide free security updates. Client updates are delivered through the App Store and Google Play; web and backend fixes are deployed server-side and apply automatically.
7. Contact
Skawa Innovation Kft. (Skawa Innovation Ltd.)
Court registration number Cg.01-09-907962 · EU VAT number HU14528114
Registered office: H-1093 Budapest, Gálya utca 6., Hungary
Security contact: info@mnrv.ai
Machine-readable contact details are also published at /.well-known/security.txt (RFC 9116).