Skip to content

Vulnerability Disclosure Policy

At MirrorWeb, we take security seriously and appreciate the efforts of security researchers in helping us keep our systems secure. This policy outlines how to report vulnerabilities for www.mirrorweb.com and my.mirrorweb.com.

Overview

MirrorWeb is committed to ensuring the security of our web archiving platform and protecting our customers' data. We appreciate the security research community's efforts in responsibly disclosing vulnerabilities and welcome reports that help us improve our security posture.

Scope

In Scope

Security vulnerabilities in the following are eligible for disclosure:

  • MirrorWeb Domain: www.mirrorweb.com and all subdomains (e.g., my.mirrorweb.com)
  • Web Applications: Customer portals, administrative interfaces, and public-facing applications
  • APIs: All documented and undocumented APIs used by MirrorWeb services
  • Infrastructure: Web servers, databases, and network configurations directly controlled by MirrorWeb
  • Mobile Applications: Official MirrorWeb mobile applications
  • Third-party Integrations: Components integrated into MirrorWeb services where we have control

Out of Scope

The following are considered out of scope for our vulnerability disclosure program:

  • Third-party services not controlled by MirrorWeb
  • Customer-controlled environments and configurations
  • Social engineering attacks against MirrorWeb employees
  • Physical attacks against MirrorWeb facilities or personnel
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • Spam or social engineering content
  • Reports from automated scanners without manual validation
  • Issues requiring physical access to devices or facilities

Vulnerability Categories

We are particularly interested in reports covering:

  • Authentication Bypass: Circumventing login mechanisms
  • Authorization Issues: Accessing resources without proper permissions
  • Data Exposure: Unintended disclosure of sensitive information
  • Injection Attacks: SQL, NoSQL, LDAP, OS command injection
  • Cross-Site Scripting (XSS): Stored, reflected, or DOM-based unrelated to Web Archive Replay Functionality
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • Remote Code Execution (RCE)
  • Business Logic Flaws: Exploitation of application workflows

Reporting Guidelines

How to Report

Submit vulnerability reports through:

Report Requirements

Please include the following information in your report:

  1. Summary: Brief description of the vulnerability
  2. Impact: Potential business and technical impact
  3. Steps to Reproduce: Detailed, step-by-step instructions
  4. Proof of Concept: Evidence demonstrating the vulnerability
  5. Affected Systems: Specific URLs, APIs, or components
  6. Suggested Remediation: Recommended fixes or mitigations
  7. Discovery Method: Tools or techniques used
  8. Timeline: When the vulnerability was discovered

Submission Format

Subject: [SECURITY] Brief vulnerability description

Vulnerability Details:
- Type: [e.g., SQL Injection, XSS, etc.]
- Severity: [Critical/High/Medium/Low]
- Affected URL/System: [specific location]
- Impact: [description of potential damage]

Steps to Reproduce:
1. Step one
2. Step two
3. Step three

Proof of Concept:
[Screenshots, code snippets, or other evidence]

Suggested Fix:
[Your recommended remediation]

 

Responsible Disclosure Expectations

For Security Researchers

  • No Data Access: Do not access, modify, or delete data belonging to MirrorWeb or our customers
  • Minimal Impact: Limit testing to proof-of-concept only
  • No Service Disruption: Avoid actions that could impact service availability
  • Confidentiality: Keep vulnerability details confidential until resolution
  • Single Report: Avoid duplicate submissions across multiple channels
  • Legal Compliance: Ensure all testing complies with applicable laws

For MirrorWeb

  • Acknowledgment: We will acknowledge receipt within 48 hours
  • Initial Assessment: Provide initial triage within 5 business days
  • Regular Updates: Communicate progress every 2 weeks for complex issues
  • Resolution Timeline: Address critical issues within 30 days, others within 90 days
  • Credit: Provide appropriate recognition (with permission)
  • No Legal Action: We will not pursue legal action for good-faith research

Response Process

  1. Report Submission: Researcher submits vulnerability report through approved channels.
  2. Acknowledgment (Within 48 Hours):
    • Confirm receipt of report
    • Assign tracking number
    • Request additional information if needed
  3. Initial Assessment (Within 5 Business Days):
    • Validate vulnerability
    • Assign severity rating
    • Determine affected systems
    • Provide preliminary timeline
  4. Investigation and Remediation:
    • Develop and test fixes
    • Coordinate with development teams
    • Prepare deployment strategy
    • Provide regular status updates
  5. Resolution and Disclosure:
    • Deploy fixes to production
    • Verify remediation effectiveness
    • Coordinate public disclosure (if applicable)
    • Update security advisories

Severity Classification

Critical

  • Remote code execution
  • Authentication bypass
  • Significant data exposure
  • Complete system compromise

High

  • Privilege escalation
  • Sensitive data access
  • Significant business logic bypass
  • Widespread impact

Medium

  • Limited data exposure
  • CSRF with impact
  • Information disclosure
  • Moderate business impact

Low

  • Minor information disclosure
  • Limited impact vulnerabilities
  • Configuration issues
  • Informational findings

Safe Harbor

MirrorWeb provides legal safe harbor for security research conducted in good faith and in accordance with this policy. We will not initiate legal action against researchers who:

  • Make good faith efforts to comply with this policy
  • Report vulnerabilities promptly and responsibly
  • Avoid privacy violations and service disruption
  • Comply with all applicable laws and regulations

Recognition

No Bug Bounty Program

At this time, MirrorWeb does not offer a bug bounty program, but we value and acknowledge responsible disclosures.

Public Acknowledgment

With your permission, we will recognize security researchers who:

  • Report valid vulnerabilities
  • Follow responsible disclosure practices
  • Provide high-quality reports with clear impact

Hall of Fame

Outstanding contributions may be featured in our security acknowledgments page.

 

Contact Information

Legal Considerations

This policy is designed to be compatible with responsible disclosure practices and applicable laws. By participating in our vulnerability disclosure program, you agree to:

  • Follow all guidelines outlined in this policy
  • Respect MirrorWeb's intellectual property and customer data
  • Comply with all applicable laws and regulations
  • Accept that MirrorWeb reserves the right to modify this policy

Last Updated: May 27, 2025
Version: 1.0
Next Review: August 27, 2025