Security Insight: Read our latest blog post on the evolution of Password Storage in MIDAS

Reporting a Security Concern or Vulnerability

Methods of Disclosure

No technology is perfect, and here at MIDAS we believe that working with skilled security researchers across the globe is crucial in helping to identify potential weaknesses in our software and infrastructure.

If you believe you've found a security issue within our software or infrastructure, please let us know as soon as possible. We actively encourage and welcome private and coordinated and responsible disclosures.

We'll work alongside researchers who disclose potential issues to us in a private/responsible manner, to address any security concerns/vulnerabilities in a timely manner.

As our security team are English speaking, we request that all reports be disclosed to us in English.

Methods of Contact

Please see this page for details of how to contact our Security Team.

Timescales

Our security team take all security concerns and vulnerability reports seriously, and we aim to respond within 24 hours of receipt.

Typically, we'll respond within a matter of hours, however, we do request that you allow us up to 5 days for an initial acknowledgement.

Once we confirm your report, we then request that you allow us up to 30 days to address the issue. During this period, we'll keep you informed and provide you with timely updates. Once we believe that we've resolved the issue, we'll invite you to re-test and confirm.

Publishing / Public Disclosure

We request private and responsible disclosures from security researchers.

In the case of a responsible disclosure, where the reporter also expresses an intent to publish details of the vulnerability, we request that any such public disclosure be delayed until the vulnerability has been fully addressed.

Once an issue has been resolved, we'll publish a security advisory in our security center where appropriate.

In the case that the vulnerability relates specifically to our MIDAS software (rather than to our websites), we request an further grace period of 90 days before a full public disclosure is made. This is to allow us to make a software update available to our customers and to allow them in turn the opportunity to update their software. A limited/partial public disclosure may be permitted by mutual consent in the interim, provided that it doesn't reveal any exploit method or include any PoC (Proof of concept) code.

Should any public disclosure be made, we request that we're provided with a link to the published details.

What to include in your report

Your initial report to us should include:

Scope

The following are considered "in scope":

The following are considered "out of scope":

Rewards & Recognition

We may, at our sole discretion, provide a monetary reward or "bug bounty" to the security researcher.

Whether a monetary reward is offered and any amount will be based upon a number of factors, including - but not limited to - the potential likelihood and severity of the reported issue occurring/being exploited, as well as the researcher's cooperation and adherence to these guidelines.

For issues we consider to be very small/minor/negligible, it's unlikely that we'll be able to offer a monetary reward.

Regardless of whether a monetary reward is offered, we will happily acknowledge and credit the researcher accordingly.

Terms

Researchers should;
  1. Ensure that any testing is legal and authorized, and within the Scope set out above.
  2. Respect the privacy of others, including our customers.
  3. Not engage in activities which may impact our customers ability to access to our services, including but not limited to DoS/DDoS-style attacks.
  4. Refrain from spamming or social engineering activities.
  5. Not make physical attempts against MIDAS property or data centers.
  6. Make reasonable efforts to contact our security team.
  7. Not demand payment or other rewards as a condition of providing information on security vulnerabilities, or in exchange for not publishing the details or reporting them to industry regulators.
We reserve the right to amend these terms and guidelines at any time without prior notification.

Safe Harbor

Any activities conducted in a manner consistent with these guidelines will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under these guidelines, we will take steps to make it known that your actions were conducted in compliance with these guidelines.

Thank you for helping keep MIDAS and our users safe!