Responsible Disclosure

Helping safeguard our data through responsible reporting

At MSCI, we take cybersecurity seriously and appreciate the vital role the security community plays in helping to protect our systems and our clients.

If you believe you’ve discovered a potential security vulnerability, we encourage you to report it responsibly through our disclosure process. Your contributions help safeguard the integrity, privacy and trust our clients expect when it comes to securing their data.

Please use our submission form to report a vulnerability and follow the responsible disclosure guidelines, including a clear description of:

• The issue and where it was found.
• Steps required to reproduce the vulnerability.

Responsible disclosure guidelines

Researchers participating in our program must adhere to the following guidelines to disclose a potential vulnerability:

• Do not engage in any activity that could harm MSCI, our customers or employees.
• Do not engage in any activity that could disrupt or degrade MSCI services or assets.
• Do not initiate a fraudulent financial transaction.
• Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) you are conducting research activity.
• Do not store, share, compromise or destroy MSCI or customer data. If you encounter personally identifiable information (PII), immediately halt your activity, purge any related data from your system and contact MSCI using the submission form. This step protects you as well as any potentially vulnerable data.
• Do not perform automated scanning or testing.

Please allow MSCI reasonable time to resolve any reported issues before disclosing the information publicly or to a third party.

MSCI agrees not to pursue legal action against you if you adhere to these guidelines when submitting a report. We reserve all legal rights in the event of noncompliance with these guidelines.

Accepted vulnerabilities

• Any included in the top 10 vulnerability categories designated by the Open Worldwide Application Security Project (OWASP)
• Other vulnerabilities with demonstrated impact

Out of scope techniques and methods

Certain vulnerabilities — due to either low impact or irrelevance — are beyond the scope of our Responsible Disclosure Program, including:

• Physical testing
• Social engineering or phishing
• Denial of service attacks
• Resource exhaustion attacks
• Attacks requiring MITM or physical access to a user’s device
• Google Maps Platform API keys
• Account/e-mail enumeration using brute-force attacks
• Any low impact issues related to session management such as concurrent sessions, session expiration or password reset/change logout
• Clickjacking/UI redressing
• Client-side application/browser autocomplete or saved password/credentials
• Descriptive or verbose error pages with no proof of exploitability or obtaining sensitive information. Information sensitivity determined by MSCI
• Directory structure enumeration, unless the fact reveals exceptionally useful information
• Incomplete or missing SPF/DMARC/DKIM records
• Issues related to password/credential strength, length, lock outs or lack of brute-force/rate limiting protections
• Leaking session cookies, user credentials or other sensitive data will be reviewed on a case-by-case basis
• If leaking of sensitive data requires MITM positioning to exploit, it will be considered out of scope
• Login/logout/unauthenticated/low-impact CSRF
• Low impact information disclosures, including software version disclosure
• Missing cookie flags
• Missing/enabled HTTP headers/methods that do not lead directly to a security vulnerability
• Reflected file download attacks (RFD)
• SSL/TLS best practices that do not contain a fully functional proof of concept
• Heartbleed requires a valid POC which shows sensitive data leakage. Information sensitivity determined by MSCI
• POODLE requires a POC demonstrating a downgrade, not just the result of SSLScan or Nmap scan
• URL redirection
• Use of a known vulnerable library which leads to a low-impact vulnerability, such as an outdated version of jQuery leading to low impact XSS
• Valid bugs not directly related to security posture of client
• Vulnerabilities affecting users of outdated browsers, plugins or platforms
• Vulnerabilities that allow for injection of arbitrary text but not of hyperlinks, HTML or JavaScript code
• Vulnerabilities that require the user/victim to perform extremely unlikely actions, such as self-XSS
• Any type of XSS that requires a victim to press an unlikely key combination, such as alt+shift+x for payload execution

Disclosing a vulnerability

Use our embedded submission form to make a disclosure.

< webform customization to be provided by App Sec, aligning to our branding and style sheet >

Visit our Information Security Program page for more information on how we secure our data, systems and services.