Responsible Disclosure Policy

Mesh Connect values external security researchers (referred to as “reporters” or “researcher” in this policy) for their significant contributions to the digital security landscape. This policy outlines the guidelines for responsible disclosures and collaborations between Mesh Connect and security researchers.

Disclosure Submission procedure

In the event that reporters discover a vulnerablity related to any Mesh Connect product or the official website (meshconnect.com as discussed in more detail below),  we strongly encourage the researcher to submit the bug to security_report@meshconnect.com. Before making a disclosure, it is recommended to review the detailed guideline on how to submit a helpful and comprehensive bug report.

Guidelines for Responsible Disclosure

If you are a representative of our Business Customer, we will process your Personal Information such as:

  • Respect for our company: Researchers are required to operate within the parameters specified in this policy.
  • Privacy: Unauthorized actions on user accounts, data, or any Mesh Connect customer information are strictly prohibited.
  • Patience: Researchers are expected to make a good faith and provide additional information upon request and clarify details.
  • Do No harm: Contribute to the common good by promptly reporting any identified vulnerabilities.

Our Commitments

Mesh connect is dedicated to:

  • Addressing security concerns: Promptly and transparently resolving reported security issues.
  • Acknowledge contributors: Publicly recognizing and appreciating reporters for their valuable contributions.
  • Rewarding researchers: Offering public recognition and at our discretion providing valuable gifts and or financial compensation for valid, high severity issues.
  • Non-punitive approach: Ensuring non-punitive stance towards good faith reporters, provided they comply with our policy and industry standards for security research.

Appropriate Security and Vulnerability Research

Do’s:

  • Ensuring compliance with the relevant laws and regulations governing security research activities within the applicable jurisdiction.
  • Conducting comprehensive testing on assets within the predefined system scope to identify and address vulnerabilities effectively.
  • Exercising caution to prevent any damage or interference with Mesh Connect's information systems during the course of security research activities.

Don'ts:

  • Stop testing activities immediately upon the identification of a vulnerability to prevent any further unintended impact. Sensitive data includes but is not limited to personally identifiable information, financial details (such as account numbers), proprietary information, and trade secrets.
  • Avoiding the testing of services that fall outside the explicitly defined system scope to maintain the integrity of the assessment.
  • Refraining from exploiting vulnerabilities beyond the minimum necessary actions required to demonstrate their existence, ensuring responsible and ethical research practices.
  • Avoiding intentional access to private information and refraining from compromising user privacy during security research.
  • Do not cause a denial of any services in the course of your testing.
  • Refrain from performing physical access controls testing (e.g., Mesh Connect office access, open doors, tailgating, or other trespass).
  • Avoid conducting social engineering in any form on Mesh Connect's personnel or contractors.
  • If uncertain about proceeding with testing, contact Mesh Connect at securitybugreport@meshconnect.com for guidance.

Eligibility and Additional Guidelines for Participation:

In addition to the outlined "Don'ts" for security researchers participating in the meshconnect.com Bug Bounty Program, it is imperative to adhere to the following eligibility criteria:

  • Reside in, or submit a submission from, a country subject to export sanctions or trade restrictions by the United States. Examples include but are not limited to countries such as Cuba, Iran, North Korea, Sudan, and Syria.
  • Violate any national, state, or local laws or regulations.
  • Participants must comply with all relevant legal requirements during their involvement in the Bug Bounty Program.
  • Individuals currently employed by Mesh Connect or its subsidiaries are not eligible to participate.
  • Be an immediate family member of a person employed by Mesh Connect or its subsidiaries or affiliates.
  • Immediate family members of Mesh Connect employees are excluded from participation.
  • Individuals under the age of 14 are not eligible. Participants aged 14 or older, who are considered minors in their place of residence, must obtain parental or legal guardian consent before joining the program.

How to Collaborate With Mesh Connect Generally:

  • Submission: Vulnerability reports should be submitted via email to securitybugreport@meshconnect.com.
  • Confidentiality: Researchers should maintain confidentiality of vulnerability information until receiving confirmation of issue resolution.
  • Attribution: Reporters may request not to be named in public acknowledgments.

What to Put in Your Bug Report:

A thorough bug report should include the following elements:

  • Detailed Bug Description: Provide a comprehensive description of the identified bug, including its nature, potential impact, and the steps taken to replicate it.
  • Mesh Connect Product or Web Application URL: Clearly specify the URL of the Mesh Connect product or web application where the bug was discovered. This ensures accurate identification and prompt resolution.
  • Single Vulnerability per Report: Submit one vulnerability per report, unless chaining vulnerabilities is necessary for impact demonstration.
  • Screenshots or Sample Code (if Relevant): Include visual aids, such as screenshots, illustrating the bug's details. Additionally, if applicable, provide sample code snippets to enhance the understanding of the issue.
  • Proof-of-Concept Exploit (if Available): Whenever possible, furnish a proof-of-concept exploit to demonstrate the practical exploitation of the identified vulnerability. This aids in a clearer understanding and faster resolution.
  • Avoid Unanalyzed Crash Dumps or Fuzzer Output: Reporters are discouraged from submitting unanalyzed crash dumps or fuzzer output unless accompanied by a sufficiently detailed explanation of how they represent a security vulnerability. This ensures that submissions are meaningful and contribute to effective issue resolution.
  • Report Other Incidental Vulnerabilities: Reporters are encouraged to report other vulnerabilities that are incidental to their in-scope testing, even if those vulnerabilities would typically be considered out-of-scope. For instance, if during testing of an in-scope system, the reporter discovers data exposure from an out-of-scope system, these incidents are still considered reportable vulnerabilities.

After Submission:

Mesh Connect aims to respond to all submissions within a few days. Researchers are kindly requested to refrain from publicly disclosing vulnerability details until our investigation is complete.

Bug Type We are looking for:

Our vulnerability disclosure program is designed to address security-related bugs within meshconnect.com. We encourage reporters to focus on the following bug categories.

Examples of bugs that we would like to know about:

  • Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entities
  • Broken Access Control
  • Security Misconfiguration
  • Cross-Site Scripting
  • Insecure Deserialization
  • Supply Chain Vulnerabilities
  • Logging Vulnerabilities
  • Broken Object Level Authorization
  • Excessive Data Exposure
  • Lack of Resources & Rate Limiting
  • Broken Function Level Authorization
  • Mass Assignment
  • Improper Assets Management

Vulnerabilities out of scope

Spam or social engineering of Mesh Connect employees or customers. Denial-of-service attacks against Mesh Connect commercial products or network infrastructure.

System Scope

We would like to see reports for security bugs in one or more of the following Mesh Connect products, technologies and programs:

meshconnect.com

dashboard.meshconnect.com

api.meshconnect.com

If you find a bug in a product or tool that Mesh Connect uses but was potentially built by someone else, we’d appreciate it if you let us know so we can pass on details to the relevant third parties.

Contact Sales

Write the future of FinTech
Please enter your First Name
Please enter your Last Name
Email is incorrect
Phone number is incorrect
Please enter your Company Name
Please enter your Country
Please fill out the message field
Cancel
Thanks!
Our sales team will reach out
to you soon.
OK
Oops! Something went wrong while submitting the form.