Guides
ChangelogStatus PageAPI ExplorerAPI ReferenceCLI ReferenceBlogIMPACT 2025
Start typing to search…

Vulnerability Disclosure Policy

Monte Carlo is committed to ensuring the security of our systems and we greatly appreciate the efforts of the security community in helping us achieve this goal. The disclosure of security vulnerabilities is a crucial part of this process.

Guidelines

We ask all researchers to:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Perform research only within the scope set out below.
  • Use the identified communication channels to report vulnerability information to us.
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Monte Carlo until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research.
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).
  • Recognize your contribution on our Security Researcher Wall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
  • Consider providing a swag reward if the vulnerability is determined to be of high impact and probability.

Assessment Process

The impact assessment is based on the attack's potential for causing privacy violations, financial loss, and other user harm, as well as user-based reach.

The probability assessment takes into account the technical skills needed to conduct the attack, the potential motivators of such an attack, and the likelihood of the attack being discovered by an attacker.

In Scope

In principle, any Monte Carlo-owned web service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains:

  • *.getmontecarlo.com
  • *.dev.getmontecarlo.com
  • *.montecarlodata.com

Out of Scope

Services

Any services hosted by third-party providers and services are excluded from scope. These services include any services listed in our Trust Center as a subprocessor.

Non-qualifying vulnerabilities

The following test types are excluded from our scope:

  • Any type of physical testing (open doors, tailgating)
  • Findings derived from social engineering (phishing, smishing, vishing)
  • Findings from applications not listed in the In Scope section
  • UI/UX bugs and spelling mistakes
  • Network-level Denial of Service (DoS/DDoS) vulnerabilities
  • Cross-site scripting vulnerabilities in Development domains
  • URL redirection
  • Legitimate content proxying and framing
  • Bugs requiring exceedingly unlikely user interaction
  • Flaws affecting users with out-of-date browsers and plugins
  • Logout cross-site forgery
  • User enumeration
  • Things that we do not want to receive in your report:
  • Personally Identifiable Information (PII)
  • Credit Card/Payment Card Information (PCI)

How to Report a Security Vulnerability

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing [email protected]. Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability.
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us).
  • Your name/handle and a link for recognition in our Wall of Fame.

Updated about 5 hours ago