Welcome to Morgan Stanley Responsible Disclosure

Powered by Synack

Security vulnerabilities may be submitted in connection with the applications of Morgan Stanley and its affiliated businesses, including those of E*TRADE, Shareworks, and Eaton Vance.
By submitting a vulnerability to Morgan Stanley through ResponsibleDisclosure.com, you agree to the Terms of Service.
Get Started

Responsible Disclosure Policy:

This page is for security researchers interested in reporting application security vulnerabilities. This is intended for application security vulnerabilities only.

If you have reported an issue determined to be within program scope, is determined to be a valid security issue, and you have followed program guidelines, ResponsibleDisclosure.com will recognize your finding and you will be allowed to disclose the vulnerability after a fix has been issued. Please refer all questions to responsibledisclosure.com.



Typical Vulnerabilities Accepted:

  • OWASP Top 10 vulnerability categories
  • Other vulnerabilities with demonstrated impact


Typical Out of Scope:

  • Theoretical vulnerabilities
  • Informational disclosure of non-sensitive data
  • Low impact session management issues
  • Self XSS (user defined payload)

For a full list of program scope please visit the Responsible Disclosure details page


Responsible Disclosure Guidelines:

In submitting a request, you agree:

  • To accept the ResponsibleDisclosure.com Terms of Service.
  • To work directly with ResponsibleDisclosure.com on vulnerability submissions in good faith
  • To provide detailed description of a proof-of-concept to detail reproduction of vulnerabilities
  • Not to engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
  • Not to engage in social engineering or phishing of customers or employees
  • You are not entitled to compensation and you will not request compensation for time and materials or vulnerabilities discovered
  • To understand the complexities of the review process: Vulnerability adjudication is performed considering the program scope as well as mitigating factors that may nullify or reduce specific risks to acceptable levels. Decisions are made in a thoughtful manner and are final.