Mcardit Public Vulnerability Disclosure Policy

Purpose
Mcardit is committed to ensuring the safety and security of our merchants, customers and partners. To this end, Mcardit is now formalizing our policy for accepting vulnerability reports in our products. We hope to foster an open partnership with the security community, and recognize that the work the community does is important in continuing to ensure safety and security for all of our customers. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.

Initial Scope
Mcardit’s Vulnerability Disclosure Program initially covers the following products
MX.com
ACHQ.com

Response

Mcardit will make a best effort to quickly respond to and resolve responsibly disclosed issues.

Rewards
At this time, Mcardit does not offer a monetary reward for the responsible disclosure of security vulnerabilities. Security researchers who report qualifying issues will receive public acknowledgement in our release notes. If you would like to keep your report confidential, please indicate in your communication with us that you prefer not to receive public acknowledgement.

Program Rules
Only test assets that are in scope. Please provide detailed reports with reproducible steps. Submit one vulnerability per report. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

The following activity and methods are prohibited:

  • Social engineering of any kind
  • Spamming
  • Denial of service
  • Reverse Engineering
  • Physical attacks against MX property or data centers

How To Submit A Vulnerability

To submit a vulnerability report to Mcardit’s Security Team, please email merchantsupport @ mcardit.com.

Report Acceptance Criteria
We will use the following criteria to decide whether or not to accept the report. Reports that are out of scope, proven to be a false positive, not of sufficient quality or did not provide enough detail to be actionable will be declined or rejected. We will make a best effort to provide this feedback to the researcher and provide evidence where possible.

What we would like to see from you:

  • Well written reports in English will have a higher chance of being accepted.
  • Reports that include proof of concept code will be more likely to be accepted.
  • Reports that include only crash dumps or other automated tool output will most likely not be accepted.
  • Include how you found the bug, the impact, and any potential remediation.
  • Consideration for vulnerabilities that may have safety impact.
  • Any plans for public disclosure.

What you can expect from us:

  • A timely response to your email (within 3 business days; if you don’t receive a response in that time, please reach out again).
  • An open dialog to discuss issues
  • Notification when the vulnerability analysis has completed each stage of our review.
  • An expected timeline for patches and fixes (usually within 120 days).
  • Credit after the vulnerability has been validated and fixed.

UPDATED: February 1, 2024

Scroll to Top