MX is committed to ensuring the safety and security of our customers. Towards this end, MX is now formalizing our policy for accepting vulnerability reports in our products. We hope to foster an open partnership with the security community, and recognize that the work the community does is important in continuing to ensure safety and security for all of our customers. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.
MX’s Vulnerability Disclosure Program initially covers the following products
MX will make a best effort to quickly respond to and resolve responsibly disclosed issues.
At this time, MX does not offer a monetary reward for the responsible disclosure of security vulnerabilities. Security researchers who report qualifying issues will receive public acknowledgement in our release notes. If you would like to keep your report confidential, please indicate in your communication with us that you prefer not to receive public acknowledgement.
Only test assets that are in scope. Please provide detailed reports with reproducible steps. Submit one vulnerability per report. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
The following activity and methods are prohibited:
To submit a vulnerability report to MX’s Security Team, please email vulns@mx.com and use our public key for all communications
We will use the following criteria to decide whether or not to accept the report. Reports that are out of scope, proven to be a false positive, not of sufficient quality or did not provide enough detail to be actionable will be declined or rejected. We will make a best effort to provide this feedback to the researcher and provide evidence where possible.
What we would like to see from you:
What you can expect from us: