(08) 6325 5761
Merion

Responsible Disclosure

If you have discovered a security vulnerability in Merion's systems, we want to hear from you. This page explains the scope, our safe-harbour commitment, and how to report.

How to report

Send your report by email to:

[email protected] — please include the word "Security" in the subject line.

Your report should include:

  • A description of the vulnerability and its potential impact.
  • The URL(s), endpoint(s), or component(s) affected.
  • Step-by-step reproduction instructions or a proof of concept (if safe to include).
  • Your name and contact details (optional — anonymous reports are accepted).

Do not include live personal data (real debtor records, real payment credentials) in your report. If you have accidentally accessed personal data in the course of discovering a vulnerability, tell us — do not retain, share, or exploit it.

Scope

In scope:

  • trust.merion.com.au (this site)
  • merion.com.au and all subdomains (help., auth., api., client., debtor.)
  • The Merion client portal and debtor portal (web application vulnerabilities)
  • The Merion API at api.merion.com.au

Out of scope:

  • Third-party services and sub-processors (Stripe, Cloudflare, Hostinger, Sentry, Anthropic, OpenAI) — report vulnerabilities in those services to the relevant vendor.
  • Social engineering attacks against Merion staff.
  • Denial-of-service attacks.
  • Physical security.
  • Vulnerabilities that require physical access to a device or privileged access that you have legitimately been granted.
  • Theoretical vulnerabilities without a working proof of concept.
  • Best-practice recommendations that are not exploitable vulnerabilities.

Safe-harbour statement

Merion will not pursue civil or criminal action against researchers who:

  • Discover and report vulnerabilities in good faith through this programme.
  • Do not access, modify, delete, or exfiltrate data beyond what is strictly necessary to demonstrate the vulnerability.
  • Do not disrupt the availability of Merion's services.
  • Do not exploit the vulnerability for any purpose other than testing and demonstration.
  • Report the vulnerability to us before disclosing it publicly, and allow us a reasonable period to address it.

This safe-harbour is a good-faith commitment, not a legal waiver. Researchers who act outside these parameters — particularly those who access, download, or exploit real debtor personal data — are not covered.

What to expect after reporting

  1. Acknowledgement — We aim to acknowledge all reports within 3 business days. If you have not heard from us within 5 business days, please follow up.
  2. Triage — We assess the severity and validity of the report within 10 business days. We will keep you informed if we need more time.
  3. Remediation — We aim to remediate confirmed critical vulnerabilities within 30 days and high-severity issues within 60 days. More complex issues may take longer; we will communicate timelines.
  4. Disclosure — We ask that you give us a reasonable opportunity to fix the issue before public disclosure. For critical vulnerabilities, we request a 90-day embargo; for lower-severity issues, 30 days is generally sufficient. We are open to negotiating timelines.

Recognition

Merion does not currently operate a bug bounty programme with monetary rewards. We are happy to acknowledge researchers who report valid vulnerabilities in our public communications (with their consent), and to provide a written reference confirming the responsible disclosure for professional purposes.

Questions

If you are unsure whether a finding is in scope, or you have a general question about security at Merion, email [email protected] with "Security" in the subject line.

Get started

Ready to talk to Merion?

Whether you have accounts to recover or a question about a notice, the first conversation is always obligation-free.

Contact us Explore our services