Vulnerability Disclosure Program

At me&u, we are committed to the security and privacy of our customers' personal and financial information. We take all reports of vulnerabilities in our systems and applications seriously and appreciate the efforts of security researchers in helping us to identify and fix potential issues.

To report a vulnerability, please use the form at the end of this page, including steps to reproduce the vulnerability and any supporting documentation. If possible, please also include a suggested fix or workaround for the issue.

Upon receipt of a vulnerability report, we will acknowledge receipt of the report within 10 business days. We will then investigate the issue and provide a status update within 20 business days.

Once the issue has been resolved, we will work with the researcher to coordinate the public disclosure of the issue, if deemed appropriate by me&u. However, please note that we reserve the right to not publicly disclose the issue depending on the circumstances. We ask that researchers do not publicly disclose the issue until we have had the opportunity to address it and make a decision on public disclosure.

We will not take legal action against researchers who comply with this policy. We do, however, ask that researchers do not use any vulnerabilities they discover to harm our systems or users, or to gain unauthorised access to any data.

We also ask that researchers do not share the details of any vulnerabilities they discover with any third parties until the issue has been resolved and a decision on public disclosure has been made.

We may offer a monetary reward for significant security vulnerabilities that are reported and successfully resolved, based on the impact and difficulty of the issue. The amount of the reward will be at the discretion of me&u.

Expectations

When working with us according to this policy, you can expect:

  • Prompt and efficient triage of your report, including a timely initial response;
  • Swift resolution of identified vulnerabilities; and
  • Appreciation for your efforts in improving our security, especially if you are the first to report a previously unknown vulnerability that leads to a code or configuration change.

In-Scope Vulnerabilities

The following vulnerabilities are eligible for our security program, as they significantly impact the confidentiality or integrity of user data:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Authentication or Authorization Flaws
  • Server-Side Request Forgery (SSRF)
  • Server-Side Template Injection (SSTI)
  • SQL injection (SQLI)
  • XML External Entities (XXE)
  • Remote Code Execution (RCE)
  • Local or Remote File Inclusions

While these vulnerabilities are our primary focus for security research, we are also interested in reports for all software and dependencies, especially if they affect sensitive user data. This may include open-source libraries, software, or third-party components. At our discretion, we may issue rewards for reports not included in this list.

Out-of-Scope Vulnerabilities

The following items are not eligible for rewards under our security program:

  • Issues related to SPF/DMARC records.
  • Email and account policies, such as email verification, reset link expiration, and password complexity.
  • Logout Cross-Site Request Forgery attacks.
  • Vulnerabilities that require physical access to a user's device.
  • Exploits that require active steps from the victim to make themselves susceptible.
  • Social engineering tactics directed at our employees or clients.
  • Physical attacks against our property or data centers.
  • The presence of autocomplete attribute on web forms.
  • Missing security flags on non-sensitive cookies.
  • Access to data on rooted mobile devices.
  • Reports of missing security headers that do not directly lead to a vulnerability.
  • Host header Injection issues.
  • Reports from automated tools or scans that have not been manually validated.
  • Reports of banner or version information that are not correlated with a vulnerable version.
  • UI and UX bugs, and spelling mistakes.

The security team at me&u is dedicated to keeping our customers and their data safe. We thank you for engaging with us on our Vulnerability Disclosure Program.