Security Advisory
At MERCUSYS, customer security comes first. That’s why we work diligently to ensure that our products include the highest level of security features, with firmware and hardware that protect customers and their devices from the latest threats.
We welcome and encourage all reports related to product security or user privacy. We will follow established processes to address them and provide timely feedback.
Report Vulnerabilities to MERCUSYS
We strongly encourage organizations and individuals to contact MERCUSYS’s security team to report any potential security issue.
This Contact info is ONLY for reporting Product Security or Vulnerability issues.
| Contact Way | |
| Email address | security@mercusys.com |
| Template | Potential vulnerability report template |
| Response Timeframes | MERCUSYS will acknowledge all vulnerability reports within 5 working days, and will provide regular updates until the issue is resolved. |
| PGP Public Key | Click to download |
MERCUSYS may request additional information to help reproduce and verify the issue. We recommend using the vulnerability report template above to expedite the process.
MERCUSYS supports encrypted messages using Pretty Good Privacy (PGP)/GNU Privacy Guard (GPG) encryption software.
Responsible Reporting Guidelines
1. All parties to a vulnerability disclosure should comply with the laws of their country or region.
2. Vulnerability reports should be based on the latest released firmware, and preferably written in English.
3. Report vulnerabilities through the dedicated communication channel. MERCUSYS may receive reports from other channels but does not guarantee that the report will be acknowledged.
4. Adhere to data protection principles at all times and do not violate the privacy and data security of MERCUSYS's users, employees, agents, services or systems during the vulnerability discovery process.
5. Maintain communication and cooperation during the disclosure process and avoid disclosing information about the vulnerability prior to the negotiated disclosure date.
6. MERCUSYS is not currently operating a vulnerability bounty program.