MoEngage Logo

MoEngage Responsible Disclosure Policy

At MoEngage, we take the security of our systems and applications very seriously, and it is our constant endeavour to make our applications and infrastructure a safe place for our customers to use. However, in the rare case when some security researcher or member of the general public identifies a issue/vulnerability in our applications/systems, and responsibly shares the details of it with us, we appreciate their contribution, work closely with them to address such issues with urgency, and if they want, publicly acknowledge their contribution.

How to report an issue?

If you happen to have identified a vulnerability on any of our web properties, we request you to follow the steps outlined below:

  • 1. Please contact us immediately by sending an email to security@moengage.com with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
  • 2. If possible, share with us your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed to identify or close the problem.

Dos and Don’ts:

  • - We urge the researchers to not to disclose any identified and/or reported issues over any public forum or to third parties till we completely mitigate the issue. Our security team will work with you to estimate and commit to fix the issue within a reasonable time frame.
  • - If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems` ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
  • - While we appreciate the inputs of WhiteHat hackers or researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.
  • - We strongly suggest researchers to restrain from using any and all automated security tools and third party websites for testing applications/infra belonging to MoEngage. Any such incidents will be considered as an attack on our assets and will be met with legal recourse.
  • - Any issues that are require MoEngage employees/users to interact in order to exploit the issue are considered invalid.
  • - Any issues that require an outdated browser and application are considered invalid.
  • - Any issues that require physical access to our systems or infrastructure are considered invalid.
  • - Any issues that are already known to us internally or reported externally are considered duplicate. Your report should be the first to consider it as a valid issue.
  • - We also request you not to attempt attacks such as DOS, social engineering, phishing etc. These kinds of findings will not be considered as valid ones, and if caught, might result in suspension of your account and appropriate legal action as well.
  • - You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.

Responsibility at our end

  • - We will be fast and will try to get back to you as soon as possible.
  • - We will keep you updated as we work to fix the bug you have submitted.
  • - Thank-You section will be updated only once the vulnerability has been fixed.

Acknowledgements

We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we would be glad to publicly acknowledge your contribution in this section on our website. Of course, this will be done if you want a public acknowledgement.