Reporting a Security Concern or Vulnerability

Methods of Disclosure

No technology is perfect, and here at MIDAS we believe that working with skilled individuals and security researchers across the globe is crucial in helping to identify potential weaknesses in our software, websites and infrastructure.

If you believe you've found a security issue within our software, websites, or infrastructure, please let us know as soon as possible. We actively encourage and welcome private and coordinated and responsible disclosures.

We'll work alongside individuals and researchers who disclose potential issues to us in a private/responsible manner, to address any security concerns/vulnerabilities in a timely manner.

As our security team are English speaking, we request that all reports be disclosed to us in English.

Methods of Contact

Please see this page for details of how to contact our Security Team.

Timescales

Our security team take all security concerns and vulnerability reports seriously, and we aim to respond within 24 hours of receipt of your initial report.

Typically, we'll respond within a matter of hours, however, we do request that you allow us up to 5 days for an initial acknowledgement before contacting us to chase a response.

Once we confirm your report, we then request that you allow us up to 30 days to address the issue. During this period, we'll keep you informed and provide you with timely updates. Once we believe that we've resolved the issue, we'll invite you to check / re-test and confirm.

Publishing / Public Disclosure

We request private and responsible disclosures from individuals and security researchers.

In the case of a responsible disclosure, where the reporter also expresses an intent to publish details of the issue or vulnerability, we request that any such public disclosure be delayed until the issue or vulnerability has been fully addressed.

Once an issue or vulnerability has been resolved, we'll publish a security advisory in our security center where appropriate.

In the case that the vulnerability relates specifically to our MIDAS software (rather than to our websites), we request an further grace period of 90 days before a full public disclosure is made. This is to allow us to make a software update available to our customers and to allow them in turn the opportunity to update their software. A limited/partial public disclosure may be permitted by mutual consent in the interim, provided that it doesn't reveal any exploit method or include any PoC (Proof of concept) code.

Should any public disclosure be made, we request that we're provided with a link to the published details.

What to include in your report

Your initial report to us should include:

Sufficient details of the issue / vulnerability to allow it to be understood and reproduced by our developers and security team.
HTTP requests and responses, HTML snippets, screenshots or any other supporting evidence.
Redact any personal data before reporting.
Proof of concept code (if available).
Proof of concept video (if applicable).
The impact of the vulnerability.
Any references or further reading that may be appropriate.
Recommendations on how the issue could be mitigated or resolved.

Scope

The following are considered "in scope":

mid.as (our main public website)
pentest.mid.as (a hosted test MIDAS system, similar to that used by our hosted customers)
midas.network (our dedicated service status site, and origin of our CDN)
security.midas.network (the website you're currently viewing)

The following are considered "out of scope":

All other *.mid.as sub domains
Vulnerabilities in 3rd party components or services
Any of our customer's MIDAS systems.

Rewards & Recognition

Whilst we may, at our sole discretion, provide a monetary reward or "bug bounty" to the security researcher for responsibly disclosing a valid vulnerability, please do not ask for a monetary compensation for your report.

Whether a monetary reward is offered and the amount will be based upon a number of factors, including - but not limited to - the potential likelihood and severity of the reported issue occurring/being exploited, as well as the researcher's cooperation and adherence to these guidelines.

For issues we consider to be of low severity and/or low likelihood of being exploited, it's unlikely that we'll be able to offer a monetary reward.

Regardless of whether a monetary reward is offered, we will happily acknowledge and credit the researcher accordingly on confirmation of a valid report.

Terms

Individuals / Researchers should;

Ensure that any testing is legal and authorized, and within the Scope set out above.
Respect the privacy of others, including our customers.
Not engage in activities which may impact our customers ability to access our services, including but not limited to DoS/DDoS-style attacks.
Refrain from spamming or social engineering activities.
Not make physical attempts against MIDAS property or data centers.
Make reasonable efforts to contact our security team.
Not demand payment or other rewards as a condition of providing information on security vulnerabilities or other such issues, or in exchange for not publishing the details or reporting them to industry regulators.

We reserve the right to amend these terms and guidelines at any time without prior notification.

Safe Harbor

Any activities conducted in a manner consistent with these guidelines will be considered authorized conduct and we will not initiate legal action against you.

If legal action is initiated by a third party against you in connection with activities conducted under these guidelines, we will take steps to make it known that your actions were conducted in compliance with these guidelines.