Reporting a Security Vulnerability

What Is a Vulnerability?

MeridianLink® defines a security vulnerability as a weakness in a product or infrastructure that could allow an attacker to impact the confidentiality, integrity, or availability of the product or infrastructure.

How to Submit a Report

We encourage customers and the security research community to report vulnerabilities in our products.If you believe you’ve found a security issue that meets MeridianLink’s definition of a vulnerability, please submit a report to our security team via one of the methods below.

If You’re a Current Customer:

If You’re a Security Researcher:

Email us at

Vulnerabilities That Should Not Be Reported

The following types of vulnerabilities do not need to be reported to us: 

  • Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff, etc.).These are considered security best practices and do not need to be classified as vulnerabilities. 
  • Missing security-related attributes on non-sensitive cookies. MeridianLink products may set certain security-related attributes on cookies used on our applications. The absence of these headers on non-sensitive cookies is not considered a security vulnerability. 
  • Exposed stack traces. Stack traces by themselves are not considered a security issue. If you find that a stack trace details personally identifiable information or user-generated content, please submit a report detailing the issue. 
  • Content spoofing by administrative users. We allow administrators to inject HTML into specific areas of our products as a customization feature and do not consider that functionality to be a vulnerability. 
  • Clickjacking on pages or pages that only contain static content. On a static page without any interactive elements on the page, clickjacking cannot occur. 
  • Auto-complete enabled or disabled. Modern browsers have changed the way that they handle auto-complete, and generally no longer respect the auto-complete tag. As a result, the auto-complete vulnerability is somewhat deprecated.

If you have questions about submitting a vulnerability, please email us at