What Is a Vulnerability?

MeridianLink defines a security vulnerability as a weakness in a product or infrastructure that could allow an attacker to impact the confidentiality, integrity, or availability of the product or infrastructure.

How to Submit a Report

We encourage customers and the security research community to report vulnerabilities in our products.If you believe you’ve found a security issue that meets MeridianLink’s definition of a vulnerability, please submit a report to our security team via one of the methods below.

If You’re a Current Customer:

Submit a Support Ticket

If You’re a Security Researcher:

Submit the form below or email us at security@meridianlink.com.



Security Vulnerability Reporting Form

You're about to submit a report to MeridianLink. The more information you provide, the quicker we can validate the issue and respond. We operate a private bug bounty program for our products, but only invited security researchers are eligible to receive payment in exchange for qualifying vulnerability reports submitted to MeridianLink.

Please provide the following information:



Vulnerabilities That Should Not Be Reported 

The following types of vulnerabilities do not need to be reported to us: 

  • Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff, etc.).These are considered security best practices and do not need to be classified as vulnerabilities. 
  • Missing security-related attributes on non-sensitive cookies. MeridianLink products may set certain security-related attributes on cookies used on our applications. The absence of these headers on non-sensitive cookies is not considered a security vulnerability. 
  • Exposed stack traces. Stack traces by themselves are not considered a security issue. If you find that a stack trace details personally identifiable information or user-generated content, please submit a report detailing the issue. 
  • Content spoofing by administrative users. We allow administrators to inject HTML into specific areas of our products as a customization feature and do not consider that functionality to be a vulnerability. 
  • Clickjacking on pages or pages that only contain static content.On a static page without any interactive elements on the page, clickjacking cannot occur. 
  • Auto-complete enabled or disabled. Modern browsers have changed the way that they handle auto-complete, and generally no longer respect the auto-complete tag. As a result, the auto-complete vulnerability is somewhat deprecated.

If you have questions about submitting a vulnerability, please email us at security@meridianlink.com.