Security

Vulnerability Disclosure Policy

Effective: July 14, 2026

MeritFirst welcomes good-faith security research. If you believe you have found a security vulnerability in our products or infrastructure, we want to hear from you. This page explains how to report it to us, what you can expect from us, and the rules that keep your research protected.

This is a vulnerability disclosure program. It does not currently offer monetary rewards.

How to report a vulnerability

Email security@meritfirst.us with:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce it, such as a proof of concept
  • Any relevant URLs, parameters, or accounts used

Our machine-readable disclosure information is published at /.well-known/security.txt.

Scope

In scope:

  • The MeritFirst application at meritfirst.us and its APIs
  • Candidate-facing assessment flows

Out of scope:

  • Denial of service or volumetric testing
  • Social engineering of MeritFirst employees, customers, or candidates
  • Physical attacks
  • Third-party services we use (please report those to the vendor)
  • Automated scanner output with no demonstrated impact

What you can expect from us

  • A timely acknowledgment of your report
  • An initial assessment conducted promptly, prioritized by the severity of the finding
  • Updates as we work on remediation
  • Credit for your finding once resolved, if you would like it; anonymity if you prefer

Rules for researchers and safe harbor

We will not pursue legal action against researchers who:

  • Act in good faith and follow this policy
  • Avoid privacy violations, data destruction, and service disruption
  • Do not access, modify, or exfiltrate data beyond the minimum needed to demonstrate the issue
  • Give us reasonable time to remediate before public disclosure (90 days, or a timeline coordinated with us)

Show what you can do.