No technology is perfect, and here at MIDAS we believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in our software and infrastructure.

Methods of Disclosure

If you believe you've found a security issue within our software or infrastructure, please let us know as soon as possible. We actively encourage and welcome private and coordinated and responsible disclosures.

We'll work alongside researchers who disclose potential issues to us in a private/responsible manner, to address any security concerns/vulnerabilities in a timely manner.

As our security team are English speaking, we request that all reports be disclosed to us in English.

Timescales

Our security team take all security concerns and vulnerability reports seriously, and we aim to respond within 24 hours of receipt. Typically, we'll respond within a matter of hours, however, we do request that you allow us up to 5 days for an initial acknowledgement.

Once we confirm your report, we then request that you allow us up to 30 days to address the issue. During this period, we'll keep you informed and provide you with timely updates. Once we believe that we've resolved the issue, we'll invite you to re-test and confirm.

Publishing / Public Disclosure

We request private and responsible disclosures from security researchers. In the case of a responsible disclosure, where the reporter also expresses an intent to publish details of the vulnerability, we request that any such public disclosure be delayed until the vulnerability has been fully addressed.

Once an issue has been resolved, we'll publish a security advisory in our security center where appropriate.

In the case that the vulnerability relates specifically to our MIDAS software (rather than to our websites), we request an further grace period of 90 days before a full public disclosure is made. This is to allow us to make a software update available to our customers and to allow them in turn the opportunity to update their software. A limited/partial public disclosure may be permitted by mutual consent in the interim, provided that it doesn't reveal any exploit method or include any PoC (Proof of concept) code.

Should any public disclosure be made, we request that we're provided with a link to the published details.

What to include in your report

Your initial report to us should include:

• Sufficient details of the vulnerability to allow it to be understood and reproduced by our developers and security team.
• HTTP requests and responses, HTML snippets, screenshots or any other supporting evidence.
• Redact any personal data before reporting.
• Proof of concept code (if available).
• The impact of the vulnerability.
• Any references or further reading that may be appropriate.
• Recommendations on how the issue could be mitigated or resolved.

Scope

The following are considered "in scope":

• mid.as (our main public website)
• pentest.mid.as (a hosted test MIDAS system, similar to that used by our hosted customers)
• midas.network (our dedicated service status site, and origin of our CDN)

The following are considered "out of scope":

• Vulnerabilities in 3rd party components or services
• Any of our customer's "hosted" MIDAS systems.

Rewards & Recognition

We may, at our sole discretion, provide a monetary reward or "bug bounty" to the security researcher. Whether a monetary reward is offered and any amount will be based upon a number of factors, including - but not limited to - the potential likelihood and severity of the reported issue occurring/being exploited, as well as the researcher's cooperation and adherence to these guidelines.

For issues we consider to be very small/minor/negligible, it's unlikely that we'll be able to offer a monetary reward.

Regardless of whether a monetary reward is offered, we will happily acknowledge and credit the researcher accordingly.

Terms

Researchers should;

1. Ensure that any testing is legal and authorized, and within the Scope set out above.
2. Respect the privacy of others, including our customers.
3. Not engage in activities which may impact our customers ability to access to our services, including but not limited to DoS/DDoS-style attacks.
4. Refrain from spamming or social engineering activities.
5. Not make physical attempts against MIDAS property or data centers.
6. Make reasonable efforts to contact our security team.
7. Not demand payment or other rewards as a condition of providing information on security vulnerabilities, or in exchange for not publishing the details or reporting them to industry regulators.

We reserve the right to amend these terms and guidelines at any time without prior notification. The latest version of these guidelines may be viewed in our Security Center

Safe Harbor

Any activities conducted in a manner consistent with these guidelines will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under these guidelines, we will take steps to make it known that your actions were conducted in compliance with these guidelines.