Citymesh/Citymesh Responsible Vulnerability Disclosure Program/Detail
Detail Updates Leaderboard
sort by
Last published
VDP: Scope Update and our Path Forward
10/20/2025, 1:10:44 PM (1 day ago)

Dear Researchers,

Welcome to the first official update for the Citymesh Vulnerability Disclosure Program (VDP). We're excited to establish a more direct line of communication and share some important news with you.

A Quick Introduction
For those who may not be familiar with us, Citymesh is a key player in connectivity solutions, providing private 5G/LTE networks, Wi-Fi, and IoT services. Our dedicated security team has partnered with Intigriti to engage with the talented security community—that’s you!
Our goal is simple: to work collaboratively to continuously identify and remediate vulnerabilities, ultimately strengthening our overall security posture. We believe that a transparent and cooperative relationship with researchers is one of the most effective ways to achieve this.

Important: Scope Update
Last week, we pushed a significant update to our program's scope. This expansion is the first of many planned updates and includes:

  • New IP ranges
  • Additional domains
  • New applications

We encourage you to review the updated scope (and out-of-scope) page thoroughly for all the details.

This is part of our ongoing commitment to keep the program relevant and challenging. You can expect continuous updates moving forward, including minor scope adjustments, updated asset descriptions for better context, and refinements to our 'Out of Scope' section to exclude known issues or customer assets.

Our Appreciation & The Path Forward
We want to extend a sincere thank you to every researcher who has dedicated their time and expertise to our VDP so far. We've been impressed with the quality of the submissions.

While this VDP is an unpaid program, we see it as a crucial proving ground and a gateway to our other security initiatives. We want to be clear about the opportunities available:

  • Invitations to our Private Bug Bounty Program: Top-performing researchers who consistently submit high-quality, actionable reports will be the first to be considered for invitations to our private, paid Bug Bounty Program when it resumes.
  • Hybrid Pentesting Opportunities: Exceptional talent may also be invited to participate in specific, paid hybrid pentesting engagements.
  • Following the Rules of Engagement: A key prerequisite for any invitation is strict adherence to our program's Rules of Engagement. Professionalism, clear communication, and respect for the scope are paramount to building the trust required for these opportunities.

Finally, we want to be transparent about how we handle exceptional findings. Although the VDP is unpaid, we believe in rewarding exceptional impact. Our team internally reviews all submissions, and extraordinary cases may be considered for a discretionary reward.

We are committed to fostering a relationship built on transparent and clear communication. We look forward to a productive collaboration with you—the researcher community—and the excellent Intigriti triage team to collectively strengthen Citymesh's security.

Happy hunting!

Best regards,

The Citymesh Security Team