What Is a Vulnerability?
MeridianLink® defines a security vulnerability as a weakness in a product or infrastructure that could allow an attacker to impact the confidentiality, integrity, or availability of the product or infrastructure.
How to Submit a Report
We encourage customers and the security research community to report vulnerabilities in our products.If you believe you’ve found a security issue that meets MeridianLink’s definition of a vulnerability, please submit a report to our security team via one of the methods below.
If You’re a Current Customer:
Vulnerabilities That Should Not Be Reported
The following types of vulnerabilities do not need to be reported to us:
- Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff, etc.). These are considered security best practices and do not need to be classified as vulnerabilities.
- Missing security-related attributes on non-sensitive cookies. MeridianLink products may set certain security-related attributes on cookies used on our applications. The absence of these headers on non-sensitive cookies is not considered a security vulnerability.
- Exposed stack traces. Stack traces by themselves are not considered a security issue. If you find that a stack trace details personally identifiable information or user-generated content, please submit a report detailing the issue.
- Content spoofing by administrative users. We allow administrators to inject HTML into specific areas of our products as a customization feature and do not consider that functionality to be a vulnerability.
- Clickjacking on pages or pages that only contain static content. On a static page without any interactive elements on the page, clickjacking cannot occur.
- Auto-complete enabled or disabled. Modern browsers have changed the way that they handle auto-complete, and generally no longer respect the auto-complete tag. As a result, the auto-complete vulnerability is somewhat deprecated.
If you have questions about submitting a vulnerability, please email us at firstname.lastname@example.org.