We believe in the power of the security research community to assist us with our commitment to maintaining the best possible security posture. To this end, Memset has contracted with Bugcrowd to assist us in working with the research community in the most mutually effective, frictionless and transparent manner.
Our Commitment to Researchers:
- We will treat researchers in a professional manner
- We will respond without undue delay and maintain good lines of communication with researchers until vulnerabilities are mitigated
- We will act in good faith to repair or mitigate issues identified by researchers in a time-frame appropriate to the risks posed to our customers and the community at large
We ask you to:
- Report the issues you identify clearly and fully, using the form below
- Include proof of concept or a detailed explanation to assist us with recreating the issue
- Keep identified issues confidential
- Comply with the scoping and identification criteria below
- Bear with us. We will treat your findings responsibly and prioritise them accordingly, but this does not always make for instant responses
- Protect our and customers’ data – If you find sensitive data not intended for you, stop and report it immediately
The scope of our responsible disclosure programme includes all assets on the following domains:
Particular areas of interest include:
Out-of-scope areas and exceptions include:
- DoS or DDoS
- Destructive or performance-impacting attacks or testing
- Social engineering of any kind
- Submissions that do not pertain to Memset’s assets
- Flaws specific to unpatched browsers or plugins
- Simple, non-XSS content injection
- Logout CSRF.
- Missing security-related flags on non-security impacting cookies
- Simple rate-limiting issues without a security impact
- Submissions entirely comprising output from commonly available automated scanners
Access & Credentials
Researchers can create accounts and users on the Memset control panels in order to facilitate testing of features behind the login pages. We request that researchers preface the Organisation Name of any accounts that they create with ‘bc-testing-’ to assist us with managing the impact on our user records. Please do not create excessive numbers of testing accounts.
Researchers are permitted to create any credentials required as part of testing under users registered to organisations as identified above.