Responsible disclosure of discovered vulnerabilities
It is important for us at MikroTik that our customers can feel safe and
secure when using our products. We therefore constantly strive to achieve
the highest possible security and quality. Despite this, an issue could be
discovered, that affects our device security. If you have found such a
security flaw, we would like to hear more about it to be able to correct
the problem as soon as possible.
We are thankful to you for taking the time to report to us weaknesses you
discover, as long as you do so with adherence to the following responsible
disclosure guidelines.
What you can report:
-
Vulnerabilities in RouterOS, that allow unauthorised users to gain
access to the software administation tools
-
Vulnerabilities in our webpages that enable disclosure of non-public
client information; enable a user to modify data that is not their own
or could lead to compromise or leakage of data and directly affect the
confidentiality or integrity of user data or which affects user privacy
What you should not report:
-
Any vulnerabilities without a properly described evidence report of
proof of possible exploitation
-
Vulnerabilities only affecting users of outdated or unpatched browsers
and platforms (older than two major releases) or for users who have
intentionally reduced security settings on their platform
-
Issues that arise from misconfiguration or misuse of equipment or
software
-
Situations where equipment resources are used by user run tasks (eg. my
CPU is being used when I run this command or my device is overloaded by
network traffic)
If you have found a vulnerability, we kindly ask you to:
-
Not take advantage of the vulnerability or problem you have discovered,
for example by downloading more data than necessary to demonstrate the
vulnerability or deleting or modifying (third party) data
-
Not reveal the problem to others until it has been resolved and MikroTik
agrees on its disclosure
-
Never publicise any personal data that you have retrieved and delete all
such information retrieved through the vulnerability
-
Not use attacks on physical security, social engineering, distributed
denial of service (DoS and DDoS), spam or applications of third parties
-
Provide sufficient information to reproduce the problem so we will be
able to resolve it as quickly as possible.
We promise you that:
-
Your notification will be reviewed and if the problem will be
discovered, you will be notified within 48 hours with acknowledgement of
the issue
- The issue will be fixed according to our internal processes
-
You will be notified that the issue is resolved, within 48 hours of the
resolution
-
If you have followed the instructions above, we will not take any legal
action against you in regard to the notification
-
We will not pass on your personal details described in notification to
third parties without your permission (unless so required under the law
and request by authorities)
When contacting MikroTik about vulnerabilities, please use the e-mail
address
security@mikrotik.com