MYOB is committed to resolving any issues that may compromise the security of our products and services as quickly as possible. We take security vulnerabilities very seriously and protecting client data is one of our top priorities.
If you have discovered a security vulnerability, we would appreciate if you could keep your findings strictly confidential and disclose the relevant information to us in a responsible manner, as described below.
How to report a security vulnerability?
If you think you’ve found a security vulnerability in MYOB products, services or online platforms, please contact us immediately via email and encrypt your report with our PGP key below:
Email contact: Vulnerabilityreport@myob.com
PGP Key: 702A28D9
Fingerprint: 0304 AA70 BFEC 40C8 75F0 BBD4 2A40 D90B 702A 28D9
What to include in the report?
Please provide as much detail as possible. In particular, we would appreciate the following:
An explanation of the security vulnerability
A list of the products and services that may be affected (versions where applicable)
Steps to reproduce the vulnerability
Proof-of-Concept code or software
Test accounts you have created
URLs, IP addresses or infrastructure associated with the vulnerability (if relevant)
Your contact information, such as your organisation and contact name for ongoing communication
Please also advise if you have communicated the vulnerability to CERT or other parties and provide us with any reference numbers.
Rules of engagement
Please do not:
Take advantage of a security vulnerability
Access, delete or modify MYOB or client data
Publicly disclose a vulnerability until it has been resolved
Download more data than necessary to demonstrate a vulnerability
Attempt to break into client accounts
Ask for compensation for your report
Use Social Engineering, Denial of Service or Phishing attacks
Next steps
Please maintain confidentiality and do not make your research public until we have completed our investigation and implemented patches or other mitigations.
The MYOB security team will endeavour to contact you within 72 hours of you reporting the security vulnerability and keep you informed on our progress towards resolving the vulnerability. We will notify you when the security vulnerability has been patched or mitigated, and add your name to our acknowledgments page if it is a valid high or critical vulnerability.
Acknowledgments to Security Researchers
MYOB thanks all security researchers and professionals that help improve the security of MYOB products and services through our responsible disclosure program:
Kevin Yehezkiel Gurning
Isaac Kristof
Mahad Ahmed Siddiqui
Ketankumar B. Godhani
Cody Zacharias
Eliot Jacobs
Mohammed Israil
Sergius Low Jun Kai
Li Chaohan (Bon)
Teoh Tze Jun (Ryan)
Chirag Gupta
Muhammad Qasim Munir
Ifrah Iman
Guhan Raja.L
Shwetabh Suman
Aniket Surwade
Vyshnav NK
Oways
Akalanka Ekanayake (Jake Logan)
Ashish Upsham
Ronak Nahar
Anusha Deekonda
Syed Abuthahir
Deepak Kolte
Vedant Tekale
Jitendra Chandel @bugc4tch3r
Devang Karelia
Pulkit Pandey
Adi Kadić
Ahmed Salah Abdalhfaz
Guillermo Gregorio
Ian Carroll
Steven Hampton
Fabio Pires
Francesco Mifsud
Kirtikumar Anandrao Ramchandani
Abdelali Khalfi
Nathu Nandwani
Harika Naidu
Samet ŞAHİN
Yin Zhang
Tijo Davis
Sagar Yadav
Robbie Wiggins
Vardan Bansal
Rayhan Ahmed (Rayhan0x01)
Aman Mahendra
Lütfü Mert Ceylan
Lanzeintegra Technologies
Harrison Mitchell
Ramesh Kumar Sekar
Asaf Aprozper (Reposify)
Aishwarya Kendle
Badal Sardhara
Nishant N. Lungare
Virendra Yadav
Asim Delalić
Srikar V
Rachit Verma (@b43kd00r)
Husain Murabbi (cyber_humans)
Mansoor Rangwala (cyber_humans)
Yosri Debaibi