Responsible Disclosure

Responsible Disclosure Policy

Fab considers the protection of customer data a significant responsibility and requires our highest priority as we want to deliver our customers a remarkable experience along every stage of their journey. We, therefore, take the security of our systems extremely seriously, and we genuinely value the assistance of security researchers and others in the security community to assist in keeping our systems secure. Together we can make things better and find ways to solve challenges. Mimecast embraces another’s perspectives in order to build cyber resilience. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users. If you discover a vulnerability, we would appreciate hearing from you in accordance with this Policy so we can resolve the issue as soon as possible. Together we can achieve goals through collaboration, communication, and accountability.

Guidelines For Responsible Disclosure

  1. Perform research only within the “In Scope” set out in this Policy.
  2. Email your findings to our security team and include
    • A description of the location and potential impact of the vulnerability and
    • A detailed description of the steps required to reproduce the vulnerability.
  3. Keep information about any vulnerability you’ve discovered confidential between yourself and Mimecast until we have had at least 90 days to review and resolve the issue. It is important to note that the timeframe for us to review and resolve an issue may vary based upon a number of factors, including the complexity of the vulnerability, the risk that the vulnerability may pose, among others.
  4. Keep communication channels open to allow effective collaboration.
  5. Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  6. If your report is a “qualifying vulnerability” (described below) and you would like to be included in our Security Researcher Hall of Fame, make sure you provide us with your name and a link for recognition.

What You Can Expect From Us:

  1. We will work with you to understand and resolve the issue in an effort to increase the protection of our customers and systems.
  2. When you follow the guidelines that are laid out above, we will not pursue or support any legal action related to your research.
  3. We will respond to your report within 3 business days of submission.
  4. If you are the first to report a “qualifying vulnerability” in accordance with this Policy, and we make a code or configuration change based on your report,  we would like to recognize your contribution to our Security Researcher Hall of Fame.

In Scope

Qualifying Vulnerabilities

What is a “qualifying vulnerability”?

Web application vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, and authorization issues, privilege escalation and clickjacking. The vulnerability must be in one of the services named in the “In Scope” section above. You must be the first researcher to responsibly disclose the vulnerability and you must follow the responsible disclosure guidelines set out in this Policy, which include giving us a reasonable amount of time to address the vulnerability. We will confirm the reasonable amount of time with you following the disclosure of the vulnerability.

What is not a “qualifying vulnerability”?

Although each submission will be evaluated on a case-by-case basis, here is a list of some of the issues which don’t qualify as security vulnerabilities:

  • UI and UX bugs and spelling mistakes;
  • TLS/SSL related issues;
  • SPF, DMARC, DKIM configurations;
  • Vulnerabilities due to out of date browsers or plugins;
  • Content-Security Policies (CSP);
  • Vulnerabilities in end of life products;
  • Lack of secure flag on cookies;
  • Username enumeration;
  • Vulnerabilities relying on the existence of plugins such as Flash;
  • Flaws affecting the users of out-of-date browsers and plugins;
  • Security headers missing such as, but not limited to “content-type-options”, “X-XSS-Protection”;
  • CAPTCHAs missing as a Security protection mechanism;
  • Issues that involve a malicious installed application on the device;
  • Vulnerabilities requiring a jailbroken device;
  • Vulnerabilities requiring a physical access to mobile devices;
  • Use of a known-vulnerable library without proof of exploitability; and/or
  • Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element.

Fab’s Security Researcher Wall of Fame

Amit Kumar – Reported Broken link Hijacking Vulnerability. (03/11/2020)

Shubham Panchal – Reported unauthorized access of XML-RPC file and it’s Exploitation. (03/11/2020)

Jeet Atul Patel – Reported Broken link Hijacking Vulnerability (02/01/2021)

Alan Abhilash – Reported WordPress Vulnerability. (08/02/2021)

Keyur Mehta – Reported Sensitive Information Disclosure(04/03/2021)

Parshwa Bhavsar – Reported Application Level DoS. (02/05/2021)