Mimecast’s Responsible Disclosure Policy
Mimecast considers protection of customer data a significant responsibility and requires our highest priority as we want to deliver our customers a remarkable experience along every stage of their journey. We therefore take the security of our systems extremely seriously, and we genuinely value the assistance of security researchers and others in the security community to assist in keeping our systems secure. Together we can make things better and find ways to solve challenges. Mimecast embraces on another’s perspectives in order to build cyber resilience. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users. If you discover a vulnerability, we would appreciate to hear from you in accordance with this Policy so we can resolve the issue as soon as possible. Together we can achieve goals through collaboration, communication and accountability.
Guidelines For Responsible Disclosure
- Perform research only within the “In Scope” set out in this Policy;
- Mimecast Customers should Raise a Case for any reports that are not security related”
- Email your findings to our security team and include (i) a description of the location and potential impact of the vulnerability and (ii) a detailed description of the steps required to reproduce the vulnerability;
- Keep information about any vulnerability you’ve discovered confidential between yourself and Mimecast until we have had at least 90 days to review and resolve the issue. It is important to note that the timeframe for us to review and resolve an issue may vary based upon a number of factors, including the complexity of the vulnerability, the risk that the vulnerability may pose, among others;
- Keep communication channels open to allow effective collaboration;
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
What You Can Expect From Us:
- We will work with you to understand and resolve the issue in an effort to increase the protection of our customers and systems;
- When you follow the guidelines that are laid out above, we will not pursue or support any legal action related to your research;
- We shall endeavour to respond to your report within 3 business days of submission
In Scope
- https://www.mimecast.com
- Mimecast MTA Servers
- Mimecast POP servers
- Mimecast Large File Send (LFS) service
- Mimecast Secure Messaging (SM) service
- Mimecast Unified Audit Utility
- Mimecast Administration Console
- Mimecast Personal Portal
- Mimecast Service Monitor
- Mimecast API
- Mimecast Web Security
- Mimecast DMARC Analyzer
- Mimecast Brand Exploit Protect
- Mobile clients for Android, iOS
- https://blog.mimecast.com
Out Of Scope
Any services hosted by third party providers are excluded from scope. These services include:
- Mimecast Knowledge Base (kb.mimecast.com);
- Mimecast Academy (academy.mimecast.com);
- https://community.mimecast.com;
- and anything else not explicitly named in the “In Scope” section above.
In the interest of the safety of our customers, staff, the Internet at large, as well as you as a security researcher, the following test types are excluded from scope:
- Any attempt to modify or destroy data;
- Findings derived primarily from social engineering (e.g. phishing);
- Findings from applications or systems not listed in the ‘In Scope’ section;
- Network level Denial of Service (DoS/DDoS) vulnerabilities or any other attempt to interrupt or degrade the services Mimecast offers, including impacting the ability for end users to use the service;
- Any attempts to access a user’s account or data;
- And anything not permitted by applicable law...
Qualifying Vulnerabilities
What is a “qualifying vulnerability”?Web application vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, and authorization issues, privilege escalation and clickjacking. The vulnerability must be in one of the services named in the “In Scope” section above. You must be the first researcher to responsibly disclose the vulnerability and you must follow the responsible disclosure guidelines set out in this Policy, which include giving us a reasonable amount of time to address the vulnerability. We will confirm the reasonable amount of time with you following the disclosure of the vulnerability.
What is not a “qualifying vulnerability”?Although each submission will be evaluated on a case-by-case basis, here is a list of some of the issues which don’t qualify as security vulnerabilities:
- UI and UX bugs and spelling mistakes;
- TLS/SSL related issues;
- SPF, DMARC, DKIM configurations;
- Vulnerabilities due to out-of-date browsers or plugins;
- Content-Security Policies (CSP);
- Vulnerabilities in end-of-life products;
- Lack of flags on cookies;
- Username enumeration;
- Vulnerabilities relying on the existence of plugins such as Flash;
- Flaws affecting the users of out-of-date browsers and plugins;
- Security headers missing such as, but not limited to "content-type-options", "X-XSS-Protection";
- CAPTCHAs missing as a Security protection mechanism;
- Issues that involve a malicious installed application on the device;
- Vulnerabilities requiring a jailbroken device;
- Vulnerabilities requiring a physical access to mobile devices;
- Use of a known-vulnerable library without proof of exploitability; and/or
- Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element;
Account lockout or rate limit features; - Account lockout or rate limit features;
- API keys exposed in pages (e.g. Google Maps), unless that key can be proven to perform a privileged operation;
- “Source Code Disclosures” of JavaScript files, unless that file can be proven to be private;
- “Cross Domain Referrer Leakage”, unless the referrer string contains privileged or private information;
- Subdomain takeover attacks without proof, a common false positive is smartlinggdn.mimecast.com;
- Host header injections when the connection must be MITM’d to exploit it or when the value of the header is not reflected in the page/used in the application;
- Missing security attributes on HTML elements (example: autocomplete settings on text fields);
- The ability to iFrame a page/clickjacking;
- HTML injection without any security impact;
- CSRF attacks without any impact or that do not cross a privilege boundary;
- Any third party information/credential leaks that don’t fall under Mimecast’s control (e.g Google, Bing, Github, Pastebin etc);
- Generally do not accept 3rd Party Vulnerabilities that do not have an advisory published for them as yet;
- Vulnerabilities that have been recently published (less than 30 days);
- Vulnerabilities that have already been reported/fix in progress.
Mimecast’s Security Researcher Wall of Fame
Mimecast would like to publicly convey our deepest gratitude to the following security researchers for responsibly disclosing vulnerabilities and working with us to remediate them. Your legendary efforts are truly appreciated by Mimecast.
2015
- Pradeep Kumar - facebook.com/pradeepch99
- Sumit Jain - facebook.com/sumit.cfe
- Jay Patel - facebook.com/jaypatel9717
- Deepak Das - facebook.com/deepak.das.581525
- Shivam Kumar Agarwal - facebook.com/shivamkumar.agarwal.9
- Naveen Sihag - twitter.com/itsnaveensihag
- Rafael Pablos
2016
J. Vogel
Matias P. Brutti
Mike Brown - twitter.com/m8r0wn
Stephen Tomkinson (NCC Group Piranha Phishing Simulation)
2017
Will Pearce & Nick Landers (Silent Break Security)
Dipu Hasan
Paul Price (Schillings Partners)
Terry Conway (CisCom Solutions)
2018
- Abdul Mateen
- Pritam Singh
- John Lee (City Business Solutions UK Ltd)
- Jeroen W
2019
- Charlie Smith - twitter.com/moopinger
- Patrick Sukop - twitter.com/iKnadt
- Abdelhak Kharroubi
- Francesco Lacerenza - linkedin.com/in/francesco-lacerenza/
- Raphaël (Access42 B.V.)
- Rotimi Akinyele - linkedin.com/in/nigerianpenetrationtester
- Wesley Kirkland - linkedin.com/in/wesleykirkland
2020
- Vaibhav Atkale - twitter.com/atkale_vaibhav
- Swapnil Maurya - twitter.com/swapmaurya20
- Derek Knaub - linkedin.com/in/derek-knaub-97836514
- Sanem Sudheendra
2021
- Naz Markuta - linkedin.com/in/naz-markuta/
- Darren LaCasse - twitter.com/stiltznet
- Ajit Bhatta - twitter.com/callmeajit
- Shreeram Mallick - linkedin.com/in/shreeram-mallick-051b43211
- Rob Lowery - lowery.tech
- Shane King - linkedin.com/in/shane-king-b282a188
- Sheikh Rishad
2022
- Patrick Sayler (NetSPI)
- Mayank Gandhi - linkedin.com/in/mayank-gandhi-0163ba216
- Ankur Vaidya
2023
- Elliott Brooks