Merlot Digital








Vulnerability Disclosure Policy

Vulnerability Disclosure Policy (VDP)

Part of the Merlot Digital Legals
Last updated 2024/03/27
 (March 27th, 2024)

If you believe you’ve discovered a potential security vulnerability within one of our services or products, we strongly encourage you disclose it to us as quickly as possible – in a responsible & secure manner. We appreciate the assistance and patience of security researchers, and we are committed to reviewing all reports that are disclosed to us.

We take the security of our customers’ data as well as our own incredibly seriously – it’s at the heart of all that we do.

We will do our best to address each confirmed issue in a timely fashion, and request that you provide us with a reasonable timeframe to address the issue before public disclosure. There may be back-and-forth required to confirm/deny any issues, and to then have them resolved, so please note that our first reply will not always confirm a resolution.

Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us. We’re transparent and reasonable, and are here to help.

1. Policy scope (VDP coverage)

We encourage you to conduct responsible security research on those of our products and services to which you have authorised access.

Please note that some services, domains/subdomains, etc, may operate under 3rd-party services, and may be locally or externally operated/hosted. In some circumstances, our ability to resolve problem/s raised will be restricted, however we will make every reasonable attempt to have the fault/s resolved upstream by escalating with the party.

In such an event, we are happy to relay upstream communications to the reporter in order to evidence our actions. They would be Commercial-in-Confidence due to the sensitive nature of the communications, and require appropriate handling by the reporter. If mishandled, we and all of our applicable partners/providers/etc maintain all of our legal rights.

2. The following types of research are strictly prohibited:

  • Any attempt/s to modify or destroy any data and/or metadata
  • Exfiltrating any quantity of data and/or metadata from our systems
  • Accessing or attempting to access accounts or data that doesn’t belong to you
  • Executing or attempting to execute a (Distributed) Denial of Service (D(DoS)) attack
  • Sending or attempting to send unsolicited or unauthorised email, spam or any other form of unsolicited messages
  • Conducting social engineering (including phishing) of The Network Crew Pty Ltd employees, contractors or customers or any other party
  • Any physical attempts against our property and/or data centres, including (but not limited to) our offices and other physical sites (including mobile/remote sites)
  • Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products or customers or other party
  • Testing third party websites, applications or services that integrate with our services or products (except where permitted)
  • Any activity that violates any Law applicable to the circumstances

3. The following vulnerability types are excluded from this VDP:

  • Self-XSS
  • Content spoofing
  • HTTP or DNS cache poisoning
  • OPTIONS HTTP method enabled (depending)
  • Weak or insecure SSL cipher suites (up to a point)
  • Lack of Secure or HTTPOnly flags on non-sensitive cookies
  • HTTP 404 codes or pages, or other HTTP non-200 codes or pages
  • Disclosure of known public files or directories, such as robots.txt
  • Clickjacking and other issues only exploitable through clickjacking
  • Fingerprinting or banner disclosure on common and public services
  • Descriptive error messages such as stack traces, application or server errors
  • Login or Forgot Password page brute force and account lockout not enforced
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • CSRF on forms that are available to anonymous users, such as contact, login and logout forms
  • Missing HTTP security headers, such as Strict Transport Security, X-Frame-Options, X-XSS-Protection, etc
  • Best practices not being followed – for example, lack of proper enforcement of email security (DMARC for instance)

4. Safe Harbour

To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability.

This is provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Vulnerability Disclosure Policy (VDP).

In the event of any non-compliance with this VDP and any relevant 3rd-party policies (where applicable), all legal rights are fully reserved.

If in doubt, please contact the TNC Security Team by sending an email to and await our final answer.

5. How to report a Potential Security Vulnerability

Ensure that you compile details of the potential security vulnerability and exploit with enough information to enable our Security Team to reproduce your steps.

Your report to us should contain:

  • An explanation of the potential security vulnerability;
  • A list of products and services that may be affected (where possible);
  • Steps to reproduce the vulnerability, including any requirements;
  • Proof-of-concept code (where applicable) with short-hand comments;
  • The names & IDs of any test accounts you have created (where applicable); and
  • Your contact information, including your PGP key should you desire encrypted replies.

You can responsibly disclose potential security vulnerabilities to the TNC Security Team by emailing with details. At our discretion, we may offer Signal/etc.

Our PGP key is available on request by emailing our Security Team before submitting your report through to them. Please note that it’s rolled so should be considered single-use.

6. What happens once I’ve made the report?

Once you have reported a potential security vulnerability to our Security Team, they will contact you within 72 business hours with our initial response.

From there, we will keep you informed on our progress towards addressing the potential security vulnerability and will also notify you when the matter has been addressed.

We ask that you maintain confidentiality & do not make your research public until we have completed our investigation and, if necessary, remediated or mitigated the potential issue.

Our websites and services are not intended for, or designed to attract, individuals under the age of 18. Due to the (USA) Children’s Online Privacy Protection Act (COPPA) as endorsed by the Australian Institute of Family Studies (AIFS), we cannot accept submissions from children under the age of 13.

You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We don’t pay bounties/rewards for vulnerabilities raised. We reserve the right to cancel this program/policy at any time at our sole discretion.

For abuse issues or law enforcement queries, please review our Acceptable Usage Policy (AUP) and Terms of Service (TOS).