|Scope Type||Scope Name|
|hardware||Cisco Meraki MX Security Appliances|
|hardware||Cisco Meraki MS Switches|
|hardware||Cisco Meraki MR Access Points|
|hardware||Cisco Meraki MV Security Cameras|
|hardware||Cisco Meraki Z Series (Z1,Z3(C))|
|ios_application||Cisco Meraki Dashboard Mobile Application (iOS and Android)|
|other||Cisco Meraki Systems Manager|
|other||Cisco Meraki Virtual Security Appliances|
Out of Scope
|Scope Type||Scope Name|
|hardware||Cisco Meraki MC Phones|
The security of our customers is a top priority. We invest heavily in tools, processes and technologies to keep our users and their networks safe. This includes third-party audits, features like two-factor authentication, and our out-of-band cloud management architecture. The Cisco Meraki vulnerability rewards program is an important component of our overall security strategy, encouraging external researchers to collaborate with our security team to help keep our customers safe.
If you are a user and have a security issue to report regarding your account (e.g. password problems and account abuse issues), non-security bugs, and questions about your network, please contact Cisco Meraki Support.
When properly notified of legitimate issues, we will acknowledge your report, assign resources and fix potential problems as quickly as possible. Some of our products and services are complex and take time to update; in the spirit of furthering security, we ask that you provide reasonable time for us to address any vulnerabilities. Failure to adhere to the principle of responsible disclosure will result in the report not qualifying for a reward.
Your testing itself must also be responsible. We ask that you refrain from using any tools that are likely to automatically generate significant volumes of traffic. Your testing must also not violate the law or compromise any data that is not your own. When investigating a vulnerability, please only target your own account. Never attempt to access the data of anyone else and do not engage in any activity that would be damaging to Cisco Meraki, Cisco Meraki customers or Cisco Meraki users.
Only certain targets and types of attack are in scope. In the next section, we clarify the targets and attacks that are in scope and out of scope. We also provide clarifying information on the targets. Please see the “Rewards” section for our priorities and corresponding reward ranges.
Meraki is able to ship free hardware to eligible researchers. We want to encourage testing of in-scope targets. Please check the “Eligibility for Meraki hardware” section on this page, or click on the ”Program Updates” tab, for more information on our free hardware shipping program.
Our bug bounty program is aimed at helping test and secure the following in- scope Meraki targets. Researchers can, and are encouraged to, create their own "organization" and accounts for testing.
Target name | Type
*.meraki.com | Website
*.ikarem.io | Website
meraki.cisco.com | Website
Cisco Meraki MX Security Appliances | Hardware
Cisco Meraki MS Switches | Hardware
Cisco Meraki MR Access Points | Hardware
Cisco Meraki MV Security Cameras | Hardware
Cisco Meraki Systems Manager | Other
Cisco Meraki Virtual Security Appliances | Other
*.network-auth.com | Website
Cisco Meraki Dashboard Mobile Application (iOS and Android) | Other
Cisco Meraki Z Series (Z1,Z3(C)) | Hardware
Target name | Type
meraki.cisco.com/form/contact | Website
merakipartners.com | Website
smhelp.meraki.com | Website
community.meraki.com | Website
developers.meraki.com | Website
Cisco Meraki MC Phones | Hardware
community-staging.meraki.com | Website
Any domain/property of Cisco Meraki not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
By way of clarification, the following is additional information on some of the domains that are in scope, and details around how they are used:
Further public documentation can be found at https://documentation.meraki.com.
Additionally, documentation for the Cisco Meraki Dashboard API can be found at https://create.meraki.io/api-docs/.
It's further worth noting that:
Most products run a light web server which offers the ability to locally configure the uplink of a device, as well as to see some very basic device status information. However, the Dashboard is the ultimate administrative interface for devices, as well as the primary source for device monitoring.
This is touched on in the focus areas section, but any way of obtaining shell access on a Meraki device is an interesting finding to our team — as there should be no way for a user to meaningfully authenticate to a device.
In regards to obtaining firmware images, users may configure, via the Dashboard, a firmware version for a device to run and the device will automatically download and install the new version. More information on that can be found in our firmware FAQ.
Of the in scope targets, we provide clarifying information of the attacks that are in scope and out of scope. This is just a guideline; ultimately, the final judgement on priority is up to the Cisco Meraki Security Team Please see the “Rewards” section for the payment amounts corresponding to these priority ratings..
Attacks are considered in scope only if they can be performed on a fully provisioned and updated device. These attacks must not require a node "out of the box". When we refer to a "fully provisioned" device, we mean a device which has completed the following steps:
All Cisco Meraki web and software targets broadly adhere to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. However, please be sure to note the exceptions for hardware targets listed below.
For hardware and VM targets, we are particularly interested in any of the following. This is, of course, a non-exhaustive list, and ultimately the priority of any issues against physical devices is subject to final evaluation by the Cisco Meraki Security Team.
† To clarify, an intrusive attack includes, but is not limited to, any attack that requires opening or penetrating the enclosure or handling any of its PCBs or any operation that involves physical tampering with the device.
The following attacks are excluded from the scope of our bug bounty program:
As a way to encourage activity on the program, as well as provide researchers
with a greater opportunity to test Meraki product, we are beginning an ongoing
program to ship hardware to eligible researchers.
To be considered, all you need is to have earned at least 30 kudos points and one valid finding on the Meraki public bug bounty. There are other criteria that will need to be met before devices are shipped — such as Meraki's ability to ship to your home country, and whether or not special taxes need to be paid for shipped devices.
That said, if you have earned 30 kudos points on our program and would like to see if you can get some Hardware sent to you, please mention @Alexander_Laliberte within the submission. We'll work with you on the process from there.
Create a user account at https://meraki.cisco.com/form/demo, using your @bugcrowdninja.com email address. This will provide you with access to a demo organization and user account. To create a 2nd user-account within this demo organization, navigate to the "Organization" tab (left sidebar) and select "Administrators".
We recommend creating two (2) demo organizations to test cross-account permissions and access. Please use a "+" variation of your @bugcrowdninja.com email address (example: email@example.com - for more information on @bugcrowdninja emails, see here: https://researcherdocs.bugcrowd.com/docs/your-bugcrowdninja-email-address).
Rewards for qualifying bugs range from $100 to $10,000. Each bug will be rewarded based on the severity of the issue found, as determined by the Cisco Meraki reward panel. Limit one reward per bug. Only the first to submit the same bug is rewarded.
P1: $6,000–$10,000 P2: $2,500–$6,000 P3: $500–$2,500 P4: $100–$500 P5: No Reward
P1: $1,500–$2,500 P2: $1,000–$1,500 P3: $500–$1,000 P4: $100–$300 P5: No Reward
The reward panel consists of the members of the Cisco Meraki Security Team.
We promise to respond promptly and fix bugs in a sensible timeframe — and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will not qualify.
Only the first person to alert us to a previously unknown flaw will qualify.
CSRF tokens can appear both as one of the below, and CSRF reports are valid only if neither are present:
Yes! Please see our section on this page about the hardware program for more details.
In addition to these Terms and Conditions regarding the Cisco Meraki Program, there may be additional restrictions depending upon applicable local laws.
CISCO MERAKI RESERVES THE RIGHT TO MODIFY OR CANCEL THIS PROGRAM AT ANY TIME WITHOUT NOTICE. ALL PARTICIPANTS AND SUBMISSIONS ARE STRICTLY VOLUNTARY. THIS OFFER IS VOID WHERE PROHIBITED BY LAW AND IN PARTICIPATING, YOU MUST NOT VIOLATE ANY LAW. YOU ALSO MUST NOT DISRUPT ANY SERVICE OR COMPROMISE ANYONE’S DATA.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.