Cisco Meraki

  • $100 – $10,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

234 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$1,220 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

The security of our customers is a top priority. We invest heavily in tools, processes and technologies to keep our users and their networks safe. This includes third-party audits, features like two-factor authentication, and our out-of-band cloud management architecture. The Cisco Meraki vulnerability rewards program is an important component of our overall security strategy, encouraging external researchers to collaborate with our security team to help keep our customers safe.

Please note: Cisco Meraki regularly releases new code and functionality; updates will be posted in the announcement section highlighting new code. This is a great opportunity for Cisco Meraki and the researcher community to work together to find vulnerabilities! In the event you do not find a bug today, please check back tomorrow! Be sure to watch for new releases on Cisco Meraki's changelog

Reporting Security Issues

If you are a user and have a security issue to report regarding your account (e.g. password problems and account abuse issues), non-security bugs, and questions about your network, please contact Cisco Meraki Support.

When properly notified of legitimate issues, we will acknowledge your report, assign resources and fix potential problems as quickly as possible. Some of our products and services are complex and take time to update; in the spirit of furthering security, we ask that you provide reasonable time for us to address any vulnerabilities. Failure to adhere to the principle of responsible disclosure will result in the report not qualifying for a reward.

Your testing itself must also be responsible. We ask that you refrain from using any tools that are likely to automatically generate significant volumes of traffic. Your testing must also not violate the law or compromise any data that is not your own. When investigating a vulnerability, please only target your own account. Never attempt to access the data of anyone else and do not engage in any activity that would be damaging to Cisco Meraki, Cisco Meraki customers or Cisco Meraki users.

Program Scope

Only certain targets and types of attack are in scope. In the next section, we clarify the targets and attacks that are in scope and out of scope. We also provide clarifying information on the targets. Please see the “Rewards” section for our priorities and corresponding reward ranges.

Meraki is able to ship free hardware to eligible researchers. We want to encourage testing of in-scope targets. Please check the “Eligibility for Meraki hardware” section on this page, or click on the ”Program Updates” tab, for more information on our free hardware shipping program.

Our bug bounty program is aimed at helping test and secure the following in-scope Meraki targets. Researchers can, and are encouraged to, create their own "organization" and accounts for testing.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.