The security of our customers is a top priority. We invest heavily in tools, processes and technologies to keep our users and their networks safe. This includes third-party audits, features like two-factor authentication, and our out-of-band cloud management architecture. The Cisco Meraki vulnerability rewards program is an important component of our overall security strategy, encouraging external researchers to collaborate with our security team to help keep our customers safe.
Please note: Cisco Meraki regularly releases new code and functionality; updates will be posted in the announcement section highlighting new code. This is a great opportunity for Cisco Meraki and the researcher community to work together to find vulnerabilities! In the event you do not find a bug today, please check back tomorrow! Be sure to watch for new releases on Cisco Meraki's changelog
Reporting Security Issues
If you are a user and have a security issue to report regarding your account (e.g. password problems and account abuse issues), non-security bugs, and questions about your network, please contact Cisco Meraki Support.
When properly notified of legitimate issues, we will acknowledge your report, assign resources and fix potential problems as quickly as possible. Some of our products and services are complex and take time to update; in the spirit of furthering security, we ask that you provide reasonable time for us to address any vulnerabilities. Failure to adhere to the principle of responsible disclosure will result in the report not qualifying for a reward.
Your testing itself must also be responsible. We ask that you refrain from using any tools that are likely to automatically generate significant volumes of traffic. Your testing must also not violate the law or compromise any data that is not your own. When investigating a vulnerability, please only target your own account. Never attempt to access the data of anyone else and do not engage in any activity that would be damaging to Cisco Meraki, Cisco Meraki customers or Cisco Meraki users.
Only certain targets and types of attack are in scope. In the next section, we clarify the targets and attacks that are in scope and out of scope. We also provide clarifying information on the targets. Please see the “Rewards” section for our priorities and corresponding reward ranges.
Meraki is able to ship free hardware to eligible researchers. We want to encourage testing of in-scope targets. Please check the “Eligibility for Meraki hardware” section on this page, or click on the ”Program Updates” tab, for more information on our free hardware shipping program.
Our bug bounty program is aimed at helping test and secure the following in-scope Meraki targets. Researchers can, and are encouraged to, create their own "organization" and accounts for testing.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.