The security of our customers is a top priority. We invest heavily in tools, processes and technologies to keep our users and their networks safe. This includes third-party audits, features like two-factor authentication, and our out-of-band cloud management architecture. The Cisco Meraki vulnerability rewards program is an important component of our overall security strategy, encouraging external researchers to collaborate with our security team to help keep our customers safe.
Reporting Security Issues
If you are a user and have a security issue to report regarding your account (e.g. password problems and account abuse issues), non-security bugs, and questions about your network, please contact Cisco Meraki Support.
When properly notified of legitimate issues, we will acknowledge your report, assign resources and fix potential problems as quickly as possible. Some of our products and services are complex and take time to update; in the spirit of furthering security, we ask that you provide reasonable time for us to address any vulnerabilities. Failure to adhere to the principle of responsible disclosure will result in the report not qualifying for a reward.
Your testing itself must also be responsible. We ask that you refrain from using any tools that are likely to automatically generate significant volumes of traffic. Your testing must also not violate the law or compromise any data that is not your own. When investigating a vulnerability, please only target your own account. Never attempt to access the data of anyone else and do not engage in any activity that would be damaging to Cisco Meraki, Cisco Meraki customers or Cisco Meraki users.
Only certain targets and types of attack are in scope. In the next section, we clarify the targets and attacks that are in scope and out of scope. We also provide clarifying information on the targets. Please see the “Rewards” section for our priorities and corresponding reward ranges.
Meraki is able to ship free hardware to eligible researchers. We want to encourage testing of in-scope targets. Please check the “Eligibility for Meraki hardware” section on this page, or click on the ”Program Updates” tab, for more information on our free hardware shipping program.
Our bug bounty program is aimed at helping test and secure the following in-scope Meraki targets. Researchers can, and are encouraged to, create their own "organization" and accounts for testing.
Out of scope
Any domain/property of Cisco Meraki not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Information on Targets
By way of clarification, the following is additional information on some of the domains that are in scope, and details around how they are used:
- *.ikarem.io: This domain is used for Meraki internal services, and as such, falls under the higher reward range.
- *.meraki.com: This domain is for the Cisco Meraki Dashboard and its integrated services.
- *.network-auth.com: This domain hosts user-created content for Dashboard-configured splash pages.
- meraki.cisco.com: This domain is our corporate website. Meraki devices do not communicate with this domain.
Further public documentation can be found at https://documentation.meraki.com.
Additionally, documentation for the Cisco Meraki Dashboard API can be found at https://create.meraki.io/api-docs/.
It's further worth noting that:
Most products run a light web server which offers the ability to locally configure the uplink of a device, as well as to see some very basic device status information. However, the Dashboard is the ultimate administrative interface for devices, as well as the primary source for device monitoring.
This is touched on in the focus areas section, but any way of obtaining shell access on a Meraki device is an interesting finding to our team — as there should be no way for a user to meaningfully authenticate to a device.
In regards to obtaining firmware images, users may configure, via the Dashboard, a firmware version for a device to run and the device will automatically download and install the new version. More information on that can be found in our firmware FAQ.
In Scope Attacks and Priority Ratings
Of the in scope targets, we provide clarifying information of the attacks that are in scope and out of scope. This is just a guideline; ultimately, the final judgement on priority is up to the Cisco Meraki Security Team Please see the “Rewards” section for the payment amounts corresponding to these priority ratings..
Attacks are considered in scope only if they can be performed on a fully provisioned and updated device. These attacks must not require a node "out of the box". When we refer to a "fully provisioned" device, we mean a device which has completed the following steps:
- It has been powered on and provided a connection to the Internet.
- It has successfully checked in to the Cisco Meraki Dashboard and received a configuration.
- It has downloaded, installed and rebooted into a new firmware version so that it is no longer running the out-of-the-box factory firmware.
Web Properties and Software Products
All Cisco Meraki web and software targets broadly adhere to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. However, please be sure to note the exceptions for hardware targets listed below.
Hardware and VMs
For hardware and VM targets, we are particularly interested in any of the following. This is, of course, a non-exhaustive list, and ultimately the priority of any issues against physical devices is subject to final evaluation by the Cisco Meraki Security Team.
- Remote code execution as root
- Remote root login
- Remote configuration injections
- Direct exposure of highly sensitive customer data to unauthorized parties, for example:
- Device secrets
- Cryptographic keys
- MV camera footage
- Customer credentials or PII
- Full compromise of secure boot
- "Packet of death" or similar mass Denial of Service
- Anything that is P1, except requiring substantial physical access to the device.
- For example: USB, management port, factory reset button
- Code Execution with a Local Network or stricter attack vector
- Limited Denial of Service (single device or single client)
- Denial of Service of non-critical functionality limited to a single device
- Intrusive physical attacks, such as attacks requiring an open device or a soldering iron, are capped at P3 regardless of impact
- For example: decapping, chip-replacement, any kind of soldering, DPA
- Compromise of less sensitive customer data (e.g. email, username, phone numbers)
- Insecure or broken device configuration fallback
- API keys originating from or accessing Cisco Meraki infrastructure
Out of Scope Attacks
The following attacks are excluded from the scope of our bug bounty program:
- Subdomain takeover
- Deficiencies in a security feature in an on-prem product. For example, 802.1x multi auth vs multi-host on MX and MS
- Flaws present only when using out-of-date browsers or plugins
- Only current versions of Chrome, Firefox, IE, Edge are accepted
- Self XSS, except novel attacks
- Text injection
- Email spoofing and any form of social engineering attack
- Full or partial path disclosure except when a real security impact can be demonstrated
- Missing Secure or HTTPOnly flags on cookies, except for these sensitive cookies:
- Login or Forgot Password page brute force and account lockout not enforced, unless it is configured in one or more of the user's organizations
- URL redirection
- Attacks by an administrator that affect the organization’s own users (e.g. malicious custom splash pages)
- Any attack against Cisco or Meraki corporate infrastructure
- Discovery of any in-use service whose running version includes known vulnerabilities without demonstrating an exploit
- Enumeration: brute force testing any of the below for enumeration each require separate advanced notification and permission from the Cisco Meraki Security Team prior to testing. Any report which comes from unarthorized testing will be considered out of scope.
- Order Number
- Serial Number
- License Key Enumeration issues will generally not be in scope but for exceptional cases, e.g. ability to enumerate email addresses via incrementing a parameter.
- All brute force denial-of-service attacks
- SSL/TLS attacks
- Any attack which renders the device permanently inoperable
- Multifactor bypass for users who are already authenticated.
- Any attack exploitable only by an active Man in the MiddleAny XSS exploitable only by an active Man in the Middle
- Reflected downloads
- Any hardware bugs which require a debugger to recreate
- Vulnerabilities in open source packages less than one month old
- Any vulnerability not present in the most recent beta firmware of a product
- Feature deficiencies are excluded, for example:
- Missing security features (e.g. SSL/TLS on the Local Status Page), except where novel attacks can be demonstrated
- Bypass of Advanced Security functionality (e.g. AMP, Content Filtering) on the MX
- Bypass of URL blacklists on any platform
- Group Policy/Splash Policy bypass on all platforms, this includes firewall rule bypass in the presence of group policies
- If you are unsure if this exclusion applies, please ask.
- Vulnerabilities resulting from missing or altered public-key pins
- DLL injection for mobile apps
- Being able to enroll in a Systems Manager deployment that has enrollment authentication disabled
- If the root cause of a vulnerability affects multiple different endpoints, we treat it as one submission and mark as a duplicate reports that exploit the same vulnerability at the multiple endpoints.
- Customer API keys
Eligibility for Meraki Hardware
As a way to encourage activity on the program, as well as provide researchers with a greater opportunity to test Meraki product, we are beginning an ongoing program to ship hardware to eligible researchers.
To be considered, all you need is to have earned at least 30 kudos points and one valid finding on the Meraki public bug bounty. There are other criteria that will need to be met before devices are shipped — such as Meraki's ability to ship to your home country, and whether or not special taxes need to be paid for shipped devices.
That said, if you have earned 30 kudos points on our program and would like to see if you can get some Hardware sent to you, please mention @Alexander_Laliberte within the submission. We'll work with you on the process from there.
Testing User Account Setup
Create a user account at https://meraki.cisco.com/form/demo, using your @bugcrowdninja.com email address. This will provide you with access to a demo organization and user account. To create a 2nd user-account within this demo organization, navigate to the "Organization" tab (left sidebar) and select "Administrators".
We recommend creating two (2) demo organizations to test cross-account permissions and access. Please use a "+" variation of your @bugcrowdninja.com email address (example: firstname.lastname@example.org - for more information on @bugcrowdninja emails, see here: https://researcherdocs.bugcrowd.com/docs/your-bugcrowdninja-email-address).
Rewards for qualifying bugs range from $100 to $10,000. Each bug will be rewarded based on the severity of the issue found, as determined by the Cisco Meraki reward panel. Limit one reward per bug. Only the first to submit the same bug is rewarded.
Rewards — *.meraki.com, *.ikarem.io, all hardware and software products
P1: $6,000–$10,000 P2: $2,500–$6,000 P3: $500–$2,500 P4: $100–$500 P5: No Reward
Rewards — meraki.cisco.com
P1: $1,500–$2,500 P2: $1,000–$1,500 P3: $500–$1,000 P4: $100–$300 P5: No Reward
Frequently asked questions
Who determines whether my report is eligible for a reward?
The reward panel consists of the members of the Cisco Meraki Security Team.
What happens if I disclose the bug publicly before you had a chance to fix it?
We promise to respond promptly and fix bugs in a sensible timeframe — and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will not qualify.
What if somebody else also found the same bug?
Only the first person to alert us to a previously unknown flaw will qualify.
What CSRF tokens do you use?
CSRF tokens can appear both as one of the below, and CSRF reports are valid only if neither are present:
Can I get Meraki hardware to test?
Yes! Please see our section on this page about the hardware program for more details.
In addition to these Terms and Conditions regarding the Cisco Meraki Program, there may be additional restrictions depending upon applicable local laws.
- The parties to this Agreement are you and Cisco Meraki.
- "Cisco Meraki" refers to Meraki LLC.
- By participating in the Program, investigating a potential vulnerability, or submitting a vulnerability, you affirm that you have not disclosed and agree that you will not disclose the vulnerability to anyone other than Cisco Meraki. Absent Cisco Meraki's prior written consent, any disclosure outside of this process would violate this Agreement. You agree that money damages may not be a sufficient remedy for a breach of this paragraph by you and that Cisco Meraki will be entitled to specific performance as a remedy for any such breach. Such remedy will not be deemed to be the exclusive remedy for any such breach but will be in addition to all other remedies available at law or equity to Cisco Meraki.
- By submitting information about a potential vulnerability, you are granting Cisco Meraki a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities in Cisco Meraki’s products and services.
- In the event of substantially duplicate submissions, Cisco Meraki may at its discretion provide a reward only for the earliest received submission. Eligibility for rewards, determination of the recipients, and amount of reward is at the discretion of Cisco Meraki.
- If issues reported to our bug bounty program affect a third party or another vendor, Cisco Meraki reserves the right to forward details of the issue along to the party without further discussion with the researcher.
- You are responsible for all taxes associated with and imposed on any reward you may receive from Cisco Meraki.
- You may only exploit, investigate, or target vulnerabilities against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited.
- If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
- Your testing activities must not negatively impact Cisco Meraki, Cisco Meraki’s products or services generally, or Cisco Meraki's online environment availability or performance. Cisco Meraki may choose not to remediate at its sole discretion.
- This Agreement constitutes the entire agreement of the parties with respect to the items listed above. This Agreement is covered by California law. This Agreement may be amended or modified only by a subsequent agreement in writing.
- If any portion of this Agreement is found to be illegal or unenforceable, then the parties will be relieved of their responsibilities arising under such portion, but only to the extent that such portion is illegal or unenforceable.
- You must not be the author of the code with the vulnerability.
- You must not be an employee or contractor of Cisco Meraki or its affiliates, or a family member of an employee or contractor.
CISCO MERAKI RESERVES THE RIGHT TO MODIFY OR CANCEL THIS PROGRAM AT ANY TIME WITHOUT NOTICE. ALL PARTICIPANTS AND SUBMISSIONS ARE STRICTLY VOLUNTARY. THIS OFFER IS VOID WHERE PROHIBITED BY LAW AND IN PARTICIPATING, YOU MUST NOT VIOLATE ANY LAW. YOU ALSO MUST NOT DISRUPT ANY SERVICE OR COMPROMISE ANYONE’S DATA.