Mimecast’s Responsible Disclosure Policy
Mimecast understands that protection of customer data is a significant responsibility and requires our highest priority. We therefore take the security of our systems extremely seriously, and we genuinely value the assistance of security researchers and others in the security community to assist in keeping our systems secure. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users.
There are a few guiding principles that we would really appreciate researchers adhering to:
- Ensuring that the vulnerability is not publicly disclosed before Mimecast has had a reasonable period of time to fix the vulnerability
- Keep communication channels open to allow effective collaboration
Guidelines for Responsible Disclosure
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerability you’ve discovered confidential between yourself and Mimecast until we’ve had 45 days to resolve the issue.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research;
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
- To maintain a good collaborative relationship with you and recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
- Mimecast MTA Servers
- Mimecast POP servers
- Mimecast Large File Send (LFS) service
- Mimecast Secure Messaging (SM) service
- Mimecast Unified Audit Utility
- Mimecast Administration Console
- Mimecast Personal Portal
- Mimecast Service Monitor
- Mimecast API
- Mobile clients for Android, iOS, Windows Mobile and Blackberry
Out of scope
Any services hosted by third party providers and services are excluded from scope. These services include:
- Mimecast Knowledge Base (kb.mimecast.com);
- Mimecast Academy (academy.mimecast.com);
- Anything else not explicitly named in the Scope section above.
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
- Any attempt to modify or destroy data;
- Findings derived primarily from social engineering (e.g. phishing);
- Findings from applications or systems not listed in the ‘Scope’ section;
- Network level Denial of Service (DoS/DDoS) vulnerabilities or any other attempt to interrupt or degrade the services Mimecast offers, including impacting the ability for end users to use the service;
- Any attempts to access a user’s account or data;
- Anything not permitted by applicable law, unless permitted by this document.
Qualifying security bugs
What is a qualifying vulnerability?
Web application vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, and authorization issues, privilege escalation and clickjacking. The vulnerability must be in one of the services named in the Scope section above. You must be the first researcher to responsibly disclose the vulnerability and you must follow the responsible disclosure principles set out in this policy, which include giving us a reasonable amount of time to address the vulnerability. The reasonable amount of time will be agreed with you following the disclosure of the vulnerability.
What is not a qualifying vulnerability?
Each submission will be evaluated on a case-by-case basis, here is a list of some of the issues which don’t qualify as security vulnerabilities
- UI and UX bugs and spelling mistakes;
- TLS/SSL related issues;
- SPF, DMARC, DKIM configurations;
- Vulnerabilities due to out of date browsers or plugins;
- Content-Security Policies (CSP);
- Vulnerabilities in end of life products;
- Lack of secure flag on cookies;
- Username enumeration;
- Vulnerabilities relying on the existence of plugins such as Flash;
- Flaws affecting the users of out-of-date browsers and plugins;
- Security headers missing such as, but not limited to "content-type-options", "X-XSS-Protection";
- CAPTCHAs missing as a Security protection mechanism;
- Issues that involve a malicious installed applictaion on the device;
- Vulnerabilities requiring a jailbroken device;
- Vulnerabilities requiring a physical access to mobile devices;
- Use of a known-vulnerable library without proof of exploitability;
- Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element.
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please report it by emailing our security team. Please include the following details with your report:
- Description of the location and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability; and
- Your name/handle and a link for recognition in our Security Researcher Hall of Fame.
Security Research Wall of Fame
Mimecast would like to publicly convey our deepest gratitude to the following security researchers for responsibly disclosing vulnerabilities and working with us to remediate them. Your legendary efforts are truly appreciated by Mimecast.
- Pradeep Kumar - facebook.com/pradeepch99
- Sumit Jain - facebook.com/sumit.cfe
- Jay Patel - facebook.com/jaypatel9717
- Deepak Das - facebook.com/deepak.das.581525
- Shivam Kumar Agarwal - facebook.com/shivamkumar.agarwal.9
- Naveen Sihag - twitter.com/itsnaveensihag
- Rafael Pablos
- D.J. Vogel
- Matias P. Brutti
- Mike Brown - twitter.com/m8r0wn
- Stephen Tomkinson (NCC Group Piranha Phishing Simulation)
- Will Pearce & Nick Landers (Silent Break Security)
- Dipu Hasan
- Paul Price (Schillings Partners)
- Terry Conway (CisCom Solutions)
- Abdul Mateen
- Pritam Singh
- John Lee (City Business Solutions UK Ltd)
- Charlie Smith - twitter.com/moopinger
- Patrick Sukop - twitter.com/iKnadt
- Abdelhak Kharroubi
- Francesco Lacerenza - www.linkedin.com/in/francesco-lacerenza/
- Raphaël (Access42 B.V.)