Reporting a Security Vulnerability

Vulnerabilities That Should Not Be Reported

The following types of vulnerabilities do not need to be reported to us: 

• Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff, etc.). These are considered security best practices and do not need to be classified as vulnerabilities. 
• Missing security-related attributes on non-sensitive cookies. MeridianLink products may set certain security-related attributes on cookies used on our applications. The absence of these headers on non-sensitive cookies is not considered a security vulnerability. 
• Exposed stack traces. Stack traces by themselves are not considered a security issue. If you find that a stack trace details personally identifiable information or user-generated content, please submit a report detailing the issue. 
• Content spoofing by administrative users. We allow administrators to inject HTML into specific areas of our products as a customization feature and do not consider that functionality to be a vulnerability. 
• Clickjacking on pages or pages that only contain static content. On a static page without any interactive elements on the page, clickjacking cannot occur. 
• Auto-complete enabled or disabled. Modern browsers have changed the way that they handle auto-complete, and generally no longer respect the auto-complete tag. As a result, the auto-complete vulnerability is somewhat deprecated.

If you have questions about submitting a vulnerability, please email us at security@meridianlink.com.