Guidelines
MERCO Bank believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you have discovered a security vulnerability in our systems or in one of our product/services, we appreciate your help in disclosing it to us in a responsible manner.

We'll work with you to make sure that we understand the scope of the issue, and that we fully address your concerns. We consider vulnerability disclosures our highest priority and we will try to address any issue as quickly as possible.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of MERCO Bank staff or contractors, or customers
• Any physical attempts against MERCO Bank property or data centres
• Any interaction or unauthorised access to data
• Missing best practices (we require evidence of a security vulnerability).
• Use of a known-vulnerable library (without evidence of exploitability).

Out of Scope

• Reports from automated tools or scans.
• Missing cookie flags on non-sensitive cookies.
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
• Exposure of non-sensitive data on mobile devices
• Missing security headers which do not lead directly to a vulnerability, including CSP.

Third-party bugs

If issues reported to our program affect a third-party library, external project, or another vendor, we reserve the right to forward details of the issue to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers through this process, and we will not share your name with third parties without your approval.

Reporting a vulnerability

We accept and discuss vulnerability reports via email at security@mercobank.com
Please encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands.

Reports should include:

• A Description of the location and potential impact of the vulnerability.
• A detailed description of the steps required to reproduce the vulnerability. * Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
• Any technical information and related materials we would need to reproduce the issue.
• Your name/handle for recognition in our Hall of Fame (optional)
• Please keep your vulnerability reports current by sending us any new information as it becomes available.

Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

MERCO Bank's senior management is committed to all security aspects in the organization. They recognize the importance of identifying and protecting its information assets, avoiding the loss, disclosure, modification and unauthorized use of the information, and encourage the development, implementation, maintenance and continuous improvement of the Information Security Management System (ISMS).

The managers of MERCO Bank are actively involved in:

1. Periodically establishing the objectives for the management of Information Security, and the necessary actions to implement them.
2. Performing systematics risk analysis, and assessing the impact and threats.
3. Validation of actions necessary to reduce the risks identified as unacceptable, according to the criteria established by the Security Committee.
4. Applying the necessary controls and their corresponding monitoring methods.
5. Ensuring the compliance with the legal, regulatory, and client requirements assumed by MERCO Bank, and contractual security obligations.
6. Promoting awareness and training on information security for all MERCO Bank personnel.
7. Providing the necessary resources to ensure the continuity of the company business.

The safety objectives of MERCO Bank are based on:

• Protection of knowledge, information and data.
• Protection of information and communication technologies.
• Protection of facilities and buildings.
• Protection of company assets.
• Protection of business continuity.
• Compliance with legal and regulatory standards.

Information Security is characterized as the preservation of:

1. its availability, ensuring authorized users have access to the information and associated assets when required.
2. its confidentiality, ensuring only those who are authorized can access the information.
3. its integrity, ensuring that the information remains unchanged and traceable.

MERCO Bank's management nominate the Information Security Manager as the person directly responsible for maintaining this policy for providing advice and guidance for its implementation.

This policy applies to all MERCO Bank personnel, as well as to external collaborators and suppliers who work in conjunction with MERCO Bank team.

Thank you for helping keep MERCO Bank and our users safe!