Skip to content

Vulnerability Disclosure Policy#

Introduction#

At MeritBoost, we take security seriously. We value the contributions of security researchers and the broader community in helping us maintain high security standards. This Vulnerability Disclosure Policy outlines how we handle security vulnerabilities and provides guidelines for reporting potential security issues.

Scope#

This policy applies to all MeritBoost services, applications, and infrastructure, including:

  • MeritBoost web applications and APIs
  • Mobile applications
  • Backend infrastructure
  • Any other software or services provided by MeritBoost

Reporting a Vulnerability#

If you believe you've discovered a security vulnerability in any of MeritBoost's services or products, we encourage you to report it to us as soon as possible. Please follow these steps:

  1. Email: Send your findings to security@cyberfinity.io with the subject line "Vulnerability Report: [Brief Description]"
  2. Encryption: If possible, encrypt sensitive information using our PGP key (available upon request)
  3. Details: Provide sufficient information to reproduce the vulnerability, including:
  4. Description of the vulnerability
  5. Steps to reproduce
  6. Potential impact
  7. Any tools or software used to identify the vulnerability

What to Expect#

When you submit a vulnerability report, you can expect the following from us:

  1. Acknowledgment: We will acknowledge receipt of your report within 48 hours
  2. Verification: Our security team will verify the vulnerability and determine its impact
  3. Updates: We will keep you informed about our progress in addressing the vulnerability
  4. Resolution: Once resolved, we will notify you and may request your feedback on the fix

Safe Harbor#

We commit to not pursue legal action against security researchers who:

  1. Make a good faith effort to comply with this policy
  2. Report vulnerabilities directly to us and give us reasonable time to respond
  3. Avoid disrupting our services, destroying data, or harming user privacy
  4. Do not exploit a security issue beyond what is necessary to prove that it exists

Prohibited Activities#

The following activities are expressly prohibited:

  1. Accessing, modifying, or deleting data belonging to other users
  2. Executing or attempting Denial of Service (DoS) attacks
  3. Social engineering of MeritBoost staff or contractors
  4. Physical attacks against MeritBoost infrastructure
  5. Testing third-party applications, websites, or services that integrate with MeritBoost

Recognition#

We believe in acknowledging the contributions of security researchers. With your permission, we may:

  1. Publicly thank you for your responsible disclosure
  2. Add your name to our security acknowledgments page
  3. Provide details about the vulnerability after it has been fixed

Changes to this Policy#

MeritBoost may update this Policy from time to time. We will notify customers of any changes by posting the new Policy on our website and, if the changes are significant, we will provide a more prominent notice.

Contact Information#

If you have any questions about this Policy, please contact us at security@cyberfinity.io.