Back to Security Page

Vulnerability Disclosure Policy

Mesh Payments is committed to providing a robust and secure service to our customers and maintaining the security, confidentiality, availability, privacy, and integrity of our products is a priority at Mesh payments. Therefore, Mesh Payments appreciates the work of researchers in order to improve our security and/or privacy posture. We are committed to creating a safe, transparent environment to report vulnerabilities.

If you have come across a security or privacy vulnerability that could impact Mesh Payments or our customers, we encourage you to report this immediately at security@meshpayments.com.
We will investigate all valid reports and fix the vulnerability as soon as we can.
We encourage you to follow Mesh Payments’s Vulnerability Disclosure Policy and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.

Scope

Services that Mesh Payments provides or any Mesh Payments product are in scope. 

The following are excluded from the Responsible Disclosure Policy (note that this list is not exhaustive):

  • Taking any action that may negatively affect Mesh Payments.
  • Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
  • Disclosing any personally identifiable information discovered to any third-party application/systems.
  • Destruction or corruption of data, information or infrastructure, including any attempt to do so.
  • Reconnaissance dependent on social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for Mesh Payments).
  • Any exploitation actions, including accessing or attempting to access Mesh Payments’s data or information, beyond what is required for the initial “Proof of Vulnerability.”
  • The actions to validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.
  • Attacks on third-party services.
  • Denial of Service (DoS) attacks or Distributed Denial of Services (DDoS) attacks.
  • Use of assets that you do not own or are not authorized or licensed to use when discovering a vulnerability.
  • Knowingly posting, transmitting, uploading, linking to, or sending any viruses/malware.
  • Pursuing vulnerabilities that send unsolicited bulk messages (spam) or unauthorized messages.
  • Any vulnerability obtained through the compromise of Mesh Payments customer or employee accounts.
  • UI and UX bugs and spelling mistakes.

Accepted Vulnerabilities Are the Following:

  • Server Security Misconfiguration
  • Server-side Injection
  • Cross-Site Scripting (XSS)
  • Sensitive Data Exposure
  • Broken Authentication and Session Management
  • Broken Access Control (BAC)
  • Application-level Denial-of-Service (DoS)
  • Unvalidated Redirects and Forwards
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • External Behavior
  • Insufficient Security Configurability
  • Using Components with Known Vulnerability
  • Insecure Data Storage
  • Lack of Binary Hardering
  • Insecure Data Transport
  • Criptographic Weakness
  • Privacy Concerns
  • Privacy Concerns
  • Client-side Injection
  • Authentication issues
  • Code Execution
  • Code or Database Injections
  • Indicators of Conpromise
  • Mobile Security Misconfiguration
  • AI application Security
  • Other

Out of Scope Vulnerabilities

  • Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept or a demonstrated exploit.
  • Third-party applications or services that integrate with Mesh payments.
  • Discovery of any third-party services (vulnerable third-party code) whose running version includes known vulnerabilities without demonstrating an existing security impact.

Mesh Payments pledges not to initiate any legal action against researchers if they adhere to the guidelines outlined in our Vulnerability Disclosure Policy. In order to protect our customers, Mesh Payments requests that you not post or share any information about a potential vulnerability in any public forums/sites until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.

Due to the Children’s Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13.

This program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.

The decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.

Back to Security Page

Solutions

Benefits

Integrations

Pricing

Who we serve

Company

Partners

Legal

Privacy

Resources

The new MeshPay Visa® Commercial Reloadable Prepaid Card is subject to approval and availability and is issued by SoFi Bank, N.A., Member FDIC, pursuant to license by Visa International Incorporated and can be used everywhere Visa® is accepted. SoFi Bank, N.A. is not a lender or provider of any cash advance product related to the Card.

You can read the full terms hеre.

By using this website you agree to our cookie policy.