mesibo bug bounty program
Mesibo strongly believes in information security. To offer cutting edge security to our customers, we maintain a Bug Bounty Program for security researchers to get rewarded for reporting security and privacy issues in the mesibo platform.
If you believe you have found a security or privacy vulnerability in mesibo platform, let us know quickly. We will investigate all qualifying reports and if your vulnerability report uniquely identifies a security or privacy issue in the mesibo platform that is within the scope of our bounty program, you may receive a bounty award according to the program descriptions. Even if it is not covered under an existing bounty program, we will publicly acknowledge your contributions.
Before You Submit - VERY IMPORTANT
Read befor your spend your valuable time:
- VALUE YOUR TIME: Before spending your time, read Qualifying and non-Qualifying Reports below. We are only interested in Qualifying reports related to mesibo real-time APIs. We may discard (or use and discard) any non-qualifying reports without any acknowledgment or replies. With all due respect to your expertise, time, and opinion, we are NOT INTERESTED in receiving non-qualifying reports, however important you feel they are.
- No follow-up: We read all the reports. If you do not get a reply, consider that either it is in the review pipeline or it was not qualified. Any follow-up will disqualify even unread reports.
Any mesibo API issue that compromises the confidentiality or integrity of user data is likely to be in scope for the program.
Your report submission MUST include:
- Detailed description
- Affected mesibo products and services
- Exact steps to reproduce the issue
- A small program to demonstrate the issue using the latest real-time API, along with compilation and running instructions. Your program should not use any third-party libraries and must be as small as possible, only to demonstrate the issue.
- You MUST only use your own app token and API key while demonstrating the issue.
- Your report MUST contain mesibo account details and proof of using the mesibo first app. All reports without using the mesibo first app will be discarded (or used and discarded) without any response or credits.
- You must provide your LinkedIn or any valid social credentials which MUST match your email address. Reports from any non-human email address will be discarded (or used and discarded) without any response or credits.
None of the above is OPTIONAL. If your report is missing any of those, it will not be considered as a qualifying report and we may not investigate the issue.
You also need to give us a reasonable time to investigate and resolve an issue you reported before publicly disclosing or sharing with others.
Non-qualifying Reports - Out of Scope
Although we review all the reports, this reward program is focused on mesibo API security and privacy issues. Hence some of the common low-risk issues do not qualify for the reward program. However, we may acknowledge your contribution if a valid issue is found. Following are some of the non-qualifying reports.
- Any non-API issues. All the issues which are not related to mesibo real-time APIs will not be eligible.
- Out-of-date API issues. Verify your report using the latest mesibo real-time API before submitting it
- All the issues impacting only the self account will not be eligible. Mesibo does not restrict anyone to enter any data in their own account or their users' account. Hence, most SPF records, XSS, CORS, clickjacking, login sessions, browser cache, and related issues are not eligible and we will not be even reply or acknowledge if you submit such issues.
- Privacy issues when the secure connection is turned off by the user
- Any public domain issues not directly related to mesibo
- UI related issues
- mesibo website content-related issues
- console and MySQL issues
- Issues in our open-source products including but not limied to open-source apps, samples, UI modules, etc.
- Denial-of-service issues
- Spam or social engineering issues
- Issues related to any third-party apps or website using mesibo services in an insecure manner - for example, making the app token or API key public
- Any duplicate reports
By submitting your report to this program, you understand that:
- We can cancel this program at any time
- mesibo determines in its sole discretion whether the report qualifies and if reward can be paid
- Your testing must not violate any law, or disrupt or compromise any data that is not your own
Submit your report