Our customers’ security is a top priority for the Cisco Meraki team. We invest heavily in tools, processes, and technologies to keep our users and their networks safe, including third-party audits, features like two-factor authentication, and our out-of-band cloud management architecture. The Cisco Meraki vulnerability rewards program is an important component of our security strategy, encouraging external researchers to collaborate with our security team to help keep networks safe.
Reporting security issues
If you are a user and have a security issue to report regarding your account (issues including password problems and account abuse issues), non-security bugs, and questions about issues with your network, please contact Cisco Meraki Support.
When properly notified of legitimate issues, we will do our best to acknowledge your report, assign resources, and fix potential problems as quickly as possible. Some of our products and services are complex and take time to update — in the spirit of furthering security, we ask that you provide reasonable time for us to address any vulnerabilities.
The program is aimed at helping test and secure the following in-scope Meraki devices - as well as the front-end dashboard & admin panel for Cisco Meraki network products. Researchers can (and are encouraged to) create their own "organization" and accounts for testing.
Please Note: In regards to testing hardware, researchers must supply their own device(s) for testing Cisco Meraki is not able to provide testing devices to researchers at this time.
Out of scope
Any domain/property of Cisco Meraki not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Regarding the targets:
By way of clarification, here's a quick rundown on some of the domains that are in scope, and some details around how they're used:
- *.ikarem.io: Used for Meraki internal services, and as such, falls under the higher reward range.
- *.meraki.com: Aside from the specific exclusions called out, this is the Cisco Meraki Dashboard and its integrated services.
- *.network-auth.com: Hosts user-created content for Dashboard-configured splash pages. We consider this part of Dashboard - as such, it is part of the higher reward range.
- meraki.cisco.com: Our corporate website. Devices do not communicate with this domain.
Our public documentation can be found at https://documentation.meraki.com.
Additionally, documentation for the Cisco Meraki Dashboard API can be found at https://create.meraki.io/api-docs/.
It's further worth noting that:
Most products run a light webserver which offers the ability to locally configure a device's uplink, as well as to see some very basic device status information. However, the Dashboard is the ultimate administrative interface for devices, as well as the primary source for device monitoring.
This is touched on in the focus areas section, but any way of obtaining shell access on a Meraki device is an interesting finding to our team - as there should be no way for a user to meaningfully authenticate to a device.
In regards to obtaining firmware images, unfortunately, there is no quick/easy way to download or pull the firmware from online, or one's device. Users may configure, via the Dashboard, a firmware version for a device to run and the device will automatically download and install the new version. More information on that can be found in our firmware FAQ. Because this process happens automatically, we do not provide a way for users to directly obtain firmware images (outside of requirements under GPL and similar licenses), and in some cases even require devices to authenticate themselves to the Dashboard to authorize an image download.
Testing User Account Setup
Create a user account at https://meraki.cisco.com/form/demo, using your @bugcrowdninja.com email address. This will provide you with access to a demo organization and user account. To create a 2nd user-account within this demo organization, navigate to the "Organization" tab (left sidebar) and select "Administrators".
We recommend creating two (2) demo organizations to test cross-account permissions and access. Please use a "+" variation of your @bugcrowdninja.com email address (example: firstname.lastname@example.org - for more information on @bugcrowdninja emails, see here: https://researcherdocs.bugcrowd.com/docs/your-bugcrowdninja-email-address).
NOTE: do not perform any testing against accounts/organizations/assets that you do not explicitly control - which is to say that we ask that you not modify or tamper with other client's accounts/systems. If you believe you have found an issue that exposes client data/systems, please submit the issue ASAP before continuing any testing on that vector. Thanks!
Rewards for qualifying bugs range from $100 to $10,000. Each bug will be rewarded based on the severity of the issue found, as determined by the Cisco Meraki reward panel. Limit one reward per bug – and only the first to submit is rewarded.
Rewards - *.meraki.com, all hardware, & software products
P1: $6,000 - $10,000 P2: $2,500 - $6,000 P3: $500 - $2,500 P4: $100 - $500 P5: No Reward
Rewards - meraki.cisco.com
P1: $1,500 - $2,500 P2: $1,000 - $1,500 P3: $500 - $1,000 P4: $100 - $300 P5: No Reward
Web Properties & Software Products
All Cisco Meraki web and software targets adhere to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. However, please be sure to note the exclusions listed below.
Hardware Taxonomy Notes:
In regards to the hardware targets, we're particularly interested in seeing if researchers are able to find any of the following. This is, of course, a non-exhaustive list, and ultimately the priority of any issues against physical devices is subject to final evaluation by the Cisco Meraki Security Team.
- Remote Code Execution
- Root login
- Direct exposure of sensitive customer data/secrets/information to unauthorized parties
- Hijack or override of device configuration
- Local shell access (see FAQ)
- Contained denial of service (limited to a single device or single client)
- Denial of Service of non-critical functionality limited to a single device
- Insecure or broken device configuration fallback
Eligibility for Meraki Hardware!
As a way to encourage activity on the program, as well as provide researchers with a greater opportunity to test Meraki product, we're beginning an ongoing program to ship hardware to eligible researchers!
To be considered, all you need is to have earned at least 30 kudos points and one valid finding on the Meraki public bug bounty. There are other criteria that will need to be met before devices are shipped-- such as Meraki's ability to ship to your home country, and whether or not special taxes need to be paid for shipped devices.
That said, if you have earned 30 kudos points on our program and would like to see if you can get some Hardware sent to you, please mention @Alexander_Laliberte within the submission. We'll work with you on the process from there.
The following are excluded for the Cisco Meraki Dashboard
- All network-level Denial of Service attacks
- SSL/TLS attacks mitigated on the client-side, e.g. BEAST, POODLE, SWEET32
- Multifactor bypass for already-authenticated users
- Any attack exploitable only by an active Man in the Middle
- Reflected downloads
The following are excluded for hardware/product vulnerability reports:
- Brute force Denial of Service attacks
- Missing security features (e.g. SSL/TLS on the Local Status Page), except where novel attacks can be demonstrated
- Any bugs which require a debugger to recreate
- Any attack which renders a device permanently inoperable or otherwise non-working
- Vulnerabilities in open source packages less than ONE MONTH old
- Any vulnerability not present in a product's most recent beta firmware
- Additionally, feature deficiencies are excluded, for example:
- Bypass of Advanced Security functionality (e.g. AMP, Content Filtering) on the MX
- Bypass of URL blacklists on any platform
- Group Policy / Splash Policy bypass on all platforms, this includes firewall rule bypass in the presence of group policies
- If you're unsure if this exclusion applies, please ask.
The following are excluded for Systems Manager and Dashboard Mobile reports:
- Any bugs which require use of a debugger or hardware tools to recreate
- Vulnerabilities present only on jailbroken devices
- Information disclosure resulting from image or screen capture of the application
- Vulnerabilities resulting from missing or altered public-key pins
- DLL injection
- Being able to enroll in a Systems Manager deployment that has enrollment authentication disabled
The following are excluded for all targets
- Flaws present only when using out-of-date browsers or plugins
- Chrome, Firefox, IE, Edge current version only
- Self XSS, excepting novel attacks
- Text injection
- Email spoofing
- Full or partial path disclosure except when a real security impact can be demonstrated
- Clickjacking and any issues only exploitable through clickjacking
- Missing Secure or HTTPOnly flags on cookies, except for these sensitive cookies:
- Login or Forgot Password page brute force and account lockout not enforced
- UNLESS it is configured in one or more of the user's organizations
- Brute-force enumeration issues, see below
- Any form of social engineering attack
- URL redirection
- Attacks by an administrator that affect the organization’s own users (e.g. malicious custom splash pages, intentional misconfiguration of nodes)
- Any attack against Cisco / Meraki corporate infrastructure
- Discovery of any in-use service whose running version includes known vulnerabilities without demonstrable security impact
- Vulnerabilities identified with automated tools (including web scanners) that do not include POC code or a demonstrated exploit
- Third-party services hosted by non-Meraki entities are excluded, including:
- HOWEVER, these specific third-party services ARE in scope:
- docs.meraki.com, kb.meraki.com, documentation.meraki.com
Brute force testing any of the below for enumeration each require separate advanced notification to and permission from the Cisco Meraki Security Team prior to testing. Any report which comes from unauthorized testing will be considered out of scope.
- Order Number
- Serial Number
- License Key Enumeration issues will generally not be in scope but for exceptional cases, e.g. ability to enumerate email addresses via incrementing a parameter.
Final Exclusions and Notes
Out of concern for the availability of our services to all users, we ask you to refrain from using any tools that are likely to automatically generate significant volumes of traffic. Your testing must not violate any law, or disrupt or compromise any data that is not your own. When investigating a vulnerability, please only target your own account. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to Cisco Meraki, Cisco Meraki customers, or Cisco Meraki users.
Frequently asked questions
Who determines whether my report is eligible for a reward?
The reward panel consists of the members of the Cisco Meraki Security Team.
What happens if I disclose the bug publicly before you had a chance to fix it?
We promise to respond promptly and fix bugs in a sensible timeframe — and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will not qualify.
What if somebody else also found the same bug?
Only the first person to alert us to a previously unknown flaw will qualify.
What CSRF tokens do you use?
CSRF tokens can appear both as one of the below, and CSRF reports are valid only if neither are present:
What about local shell access?
Attacks that grant local shell access, such as through a serial interface, are valid only if they can be performed on a fully provisioned and updated device. These attacks must not require a node "out of the box".
When we refer to a "fully provisioned" device, we are talking about a device which has done all of the following:
- Has been powered on and provided a connection to the Internet.
- Has successfully checked in to the Cisco Meraki Dashboard and received a configuration.
- Has downloaded, installed and rebooted into a new firmware version so that it is no longer running the out-of-the-box factory firmware.
Important legal terms
In addition to these Terms and Conditions regarding the Cisco Meraki Program, there may be additional restrictions depending upon applicable local laws.
- The parties to this Agreement are you and Cisco Meraki.
- "Cisco Meraki" refers to Meraki LLC.
- By participating in the Program, investigating a potential vulnerability, or submitting a vulnerability, you affirm that you have not disclosed and agree that you will not disclose the vulnerability to anyone other than Cisco Meraki. Absent Cisco Meraki's prior written consent, any disclosure outside of this process would violate this Agreement. You agree that money damages may not be a sufficient remedy for a breach of this paragraph by you and that Cisco Meraki will be entitled to specific performance as a remedy for any such breach. Such remedy will not be deemed to be the exclusive remedy for any such breach but will be in addition to all other remedies available at law or equity to Cisco Meraki.
- By submitting information about a potential vulnerability, you are granting Cisco Meraki a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities in Cisco Meraki’s products and services.
- In the event of substantially duplicate submissions, Cisco Meraki may at its discretion provide a reward only for the earliest received submission. Eligibility for rewards, determination of the recipients, and amount of reward is at the discretion of Cisco Meraki.
- If issues reported to our bug bounty program affect a third party or another vendor, Cisco Meraki reserves the right to forward details of the issue along to the party without further discussion with the researcher.
- You are responsible for all taxes associated with and imposed on any reward you may receive from Cisco Meraki.
- You may only exploit, investigate, or target vulnerabilities against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited.
- If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
- Your testing activities must not negatively impact Cisco Meraki, Cisco Meraki’s products or services generally, or Cisco Meraki's online environment availability or performance. Cisco Meraki may choose not to remediate at its sole discretion.
- This Agreement constitutes the entire agreement of the parties with respect to the items listed above. This Agreement is covered by California law. This Agreement may be amended or modified only by a subsequent agreement in writing.
- If any portion of this Agreement is found to be illegal or unenforceable, then the parties will be relieved of their responsibilities arising under such portion, but only to the extent that such portion is illegal or unenforceable.
- You must not be the author of the code with the vulnerability.
- You must not be an employee or contractor of Cisco Meraki or its affiliates, or a family member of an employee or contractor.
CISCO MERAKI RESERVES THE RIGHT TO MODIFY OR CANCEL THIS PROGRAM AT ANY TIME WITHOUT NOTICE. ALL PARTICIPANTS AND SUBMISSIONS ARE STRICTLY VOLUNTARY. THIS OFFER IS VOID WHERE PROHIBITED BY LAW AND IN PARTICIPATING, YOU MUST NOT VIOLATE ANY LAW. YOU ALSO MUST NOT DISRUPT ANY SERVICE OR COMPROMISE ANYONE’S DATA.