MemorDeskMemorDesk
MemorDesk

Security Research

Bug Bounty Program

MemorDesk handles sensitive meeting data for thousands of teams. We take security seriously and we value the researchers who help us keep it that way. Report a vulnerability and earn recognition for responsible disclosure.

Report a vulnerability

About the program

MemorDesk stores meeting recordings, transcripts, and AI-generated summaries. Our multi-tenant architecture means a single access control flaw could expose private conversations belonging to multiple organizations.

We run a private bug bounty program. All reports are reviewed by our security team, verified in a staging environment, and responded to directly. We reward and credit researchers who follow responsible disclosure principles.

Response SLAAcknowledgment within 3 business days
Fix timelineCritical issues patched within 7 days
Disclosure policyCoordinated - we notify you before publishing
Contactsecurity@memordesk.com

Severity tiers

We classify issues using a four-tier severity model. Rewards are based on severity, quality of the report, and exploitability in a real-world scenario.

Critical
  • -Unauthenticated access to another user's meeting recordings or transcripts
  • -Remote code execution on MemorDesk infrastructure
  • -Complete bypass of multi-tenant data isolation (cross-workspace data leak)
  • -Mass credential extraction or authentication token forgery
High
  • -Authenticated cross-tenant data access (viewing another org's data)
  • -Privilege escalation to admin role without authorization
  • -Stored XSS that executes in other users' sessions
  • -Significant information disclosure of PII or meeting content
Medium
  • -CSRF on sensitive actions (account deletion, plan changes)
  • -Insecure direct object reference exposing non-sensitive metadata
  • -Reflected XSS or open redirect with limited impact
  • -Business logic flaws that allow unintended feature access
Low
  • -Missing security headers with low exploitability
  • -Rate limiting gaps on non-critical endpoints
  • -Information disclosure of non-sensitive data (app version, stack)
  • -Self-XSS or issues requiring significant user interaction

Scope

In scope

  • memordesk.com and all subdomains
  • The MemorDesk web application and dashboard
  • All public-facing API endpoints
  • Authentication and session management flows
  • Multi-tenant data isolation and access controls
  • Meeting recording, transcription, and storage pipelines
  • Webhook integrations (Zoom, Google Calendar, Slack)
  • AI assistant (Kojo) and memory/embedding endpoints

Out of scope

  • Third-party services and infrastructure we do not control
  • Social engineering, phishing, or physical attacks against staff
  • Denial of service attacks of any kind
  • Automated scanning without prior written approval
  • Issues already known or reported by another researcher
  • Findings from accounts you do not own or have explicit permission to test
  • Vulnerabilities in outdated browsers or OS versions with no patches available

Submission process

Four steps from discovery to resolution.

01

Find a vulnerability

Identify a reproducible issue on MemorDesk-owned assets. Confirm it is in-scope before proceeding.

02

Write your report

Document the impact, reproduction steps, and your methodology. Clear reports get reviewed and rewarded faster.

03

Submit via email

Send your report to security@memordesk.com. We acknowledge all submissions within 3 business days.

04

Verification and reward

Our team verifies the issue, classifies severity, applies a fix, and contacts you about recognition.

What to include

A complete, reproducible report moves through triage faster and increases your chance of a reward. Vague or incomplete reports may be closed without action. You can submit in any language.

  • 01Clear title describing the vulnerability class and affected component
  • 02Step-by-step instructions to reproduce the issue from scratch
  • 03Proof of concept (screenshot, video, or working request/response)
  • 04Actual and potential impact on confidentiality, integrity, or availability
  • 05Your assessment of the severity and why
  • 06Any suggested mitigations or root cause analysis you have identified

Rules of engagement

Researchers who follow these rules operate under safe harbor. Violations may result in disqualification and legal action.

1

Only test against accounts and data you own or have explicit written permission to access.

2

Do not exfiltrate, modify, delete, or publicly disclose data belonging to other users.

3

Immediately stop testing and report if you encounter sensitive third-party data.

4

Do not disclose the vulnerability publicly until we have issued a fix and confirmed it with you.

5

Do not perform social engineering, phishing, or physical intrusion attempts.

6

Act in good faith - the goal is to improve security for all MemorDesk users.

Ready to report?

Send your report to our security team. We review every submission and respond to all valid findings, regardless of severity.

Email security@memordesk.comBack to dashboard

By participating you agree to our responsible disclosure policy and rules of engagement above.