1. Introduction: Our Commitment to Security

At MoEngage, the security of our systems and the protection of our customers’ data is a top priority. We are committed to continuously improving the security of our platform. We value the crucial role that independent security researchers play in this ecosystem.

This policy is designed to provide a clear framework for the security research community to identify and report potential vulnerabilities to us. We pledge to work collaboratively with you to verify, address, and resolve any valid findings. Your efforts and responsible disclosure help us ensure our platform remains safe for everyone.

2. Scope of Policy

This policy applies to all publicly accessible digital assets owned and operated by MoEngage.

In-Scope Assets:

  • *.moengage.com
  • MoEngage Mobile SDKs (iOS & Android)

Test Accounts & Data Integrity:

  • Do not test on accounts you do not own.
  • Testing that affects real customer data, corrupts production databases, or degrades service quality is strictly prohibited.

Out-of-Scope Assets:

  • Third-Party Services: Services or vendors used by MoEngage (e.g., cloud providers, helpdesk software, marketing tools) are out of scope. We cannot authorize testing on systems we do not own.
  • MoEngage Corporate IT: Internal employee systems, office networks, and VPN endpoints are out of scope.

3. Safe Harbor

MoEngage considers research conducted under this policy to be authorized and protected.

Our Pledge to You:

We will not initiate legal action against you if you:

  • Conduct research in good faith and in compliance with this policy.
  • Report the vulnerability to us without making it public.
  • Do not compromise the privacy or safety of our customers or the operation of our services.
    Do not exploit a security issue for any reason other than to demonstrate its existence.

Third-Party Safe Harbor:

If you inadvertently discover a vulnerability in a third-party module or service we use, we will not pursue legal action. However, we cannot authorize testing on behalf of those third parties. If you report such an issue to us, we will attempt to coordinate with the third party to to address the vulnerability.

4. How to Report a Vulnerability

If you believe you have discovered a security vulnerability in one of our in-scope assets, please report it to us as quickly as possible.

Encrypted Communication (Recommended):
To protect sensitive information—such as Proof of Concept (PoC) exploits or data samples—we strongly encourage you to encrypt your email using our PGP Public Key.

If you are unable to use PGP, please do not include sensitive exploit code or customer data in your initial email. Instead, simply state the vulnerability class (e.g., “I found a Critical RCE”) and request a secure communication channel.
Reporting Process:

  • Email Us: Send your report to [email protected].
  • Provide Details:

    • Type of Vulnerability: (e.g., XSS, SQLi, RCE, IDOR).
    • Asset Affected: The specific URL, IP, or app component.
    • Reproduction Steps: Detailed text instructions, HTTP requests, or video proof.
    • Impact: A brief explanation of the severity.

5. Our Commitments & Response Timelines

MoEngage is committed to being responsive and transparent.

  • Initial Response: We will acknowledge your report within 24 hours.
  • Triage: We aim to validate and classify severity within 3 business days.
  • Remediation: We prioritize fixes based on severity. Critical issues are addressed within 5 days; lower-severity issues may be scheduled for specific release cycles. We will provide you with an estimated timeline.
  • Communication: We will keep you updated on the progress of the fix.

6. Confidentiality and Non-Disclosure

  • Strict Confidentiality: All information related to vulnerabilities reported to MoEngage—including the discovery, reproduction steps, and remediation—must remain strictly confidential.
  • No Public Disclosure: You are not authorized to disclose the vulnerability to the public or any third party at any time. This applies even after the vulnerability has been resolved.
  • Prohibited Channels: This prohibition includes, but is not limited to, publishing blog posts, social media updates, conference presentations, or video tutorials regarding the vulnerability.
  • Violation: Publicly disclosing a vulnerability without express written consent from MoEngage is a violation of this policy and disqualifies you from Safe Harbor protection.

7. Rules of Engagement (Do's and Don'ts)

To ensure your research is considered responsible, please adhere to the following:
Do:

  • Stop immediately if you encounter non-public data (PII, financial info, proprietary code). Do not view, save, or transfer it.
  • Purge any local copies of incidental data you may have downloaded.
  • Use custom scripts or low-intensity scanning tools only.

Don’t:

  • Exfiltrate Data: Do not download data to prove a vulnerability. Showing you can access one record is sufficient proof; accessing ten is excessive.
  • Disrupt Services: Do not use high-volume automated scanners (e.g., Nessus, Burp Intruder) without rate limiting, as this may trigger DoS protections.
  • Social Engineering: Phishing employees or customers is strictly prohibited.
  • Physical Attacks: Do not attempt to access MoEngage offices.

8. Acknowledgements & Recognition

MoEngage does not currently offer a monetary bug bounty program.

However, we believe in recognizing valuable contributions. If you submit a valid and unique vulnerability report, we will be pleased to add you to our Security Hall of Fame (with your permission).

We sincerely appreciate your efforts in helping us keep MoEngage and our community secure.