Vulnerability Disclosure Program

Purpose of the Vulnerability Disclosure Program

The security of our systems is of utmost importance to us. Despite our best efforts to maintain a secure environment, vulnerabilities can still exist.

We value the insights of the security community and encourage responsible disclosure of potential vulnerabilities. Our Vulnerability Disclosure Program allows you to responsibly share your findings with us.

If you discover a potential vulnerability in any of our systems, services, or products, please notify us as soon as possible. Follow the process outlined below under "How to Disclose a Vulnerability."

The purpose of this program is to receive, assess, and remediate cybersecurity vulnerabilities. We encourage security researchers and professionals to report vulnerabilities. Please note, this program is not for general inquiries unrelated to security vulnerabilities.

Program Scope

Our Vulnerability Disclosure Program covers:

  • Any product or service owned by us to which you have legal access.
  • Any product, service, and infrastructure we provide to shared service partners to which you have legal access.

Disallowed Activities

To ensure the integrity of the program, the following research activities are disallowed:

  • Social engineering or phishing
  • Denial of Service (DoS) or Distributed DoS (DDoS) attacks
  • Physical attacks
  • Attempts to modify or destroy data
  • Clickjacking
  • Accessing or attempting to access accounts or data that do not belong to you
  • Any activity that violates any law
  • Posting, transmitting, uploading, linking to, or sending any malware
  • Automated vulnerability scan reports
  • Leveraging deceptive techniques
  • Exfiltrating any data under any circumstances
  • Testing third-party websites, applications, or services that integrate with our services or products
  • Disclosure of known public files or directories
  • Reporting lack of Secure or HTTP Only flags on non-sensitive cookies
  • Usage of a known vulnerable library or framework without a valid attack scenario

Do not report security vulnerabilities related to missing security controls or protections that are not directly exploitable, such as:

  • Weak, insecure, or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
  • Misconfigured DNS (domain name system) records, including SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
  • Missing security HTTP (hypertext transfer protocol) headers
  • Theoretical cross-site request forgery and cross-site framing attacks

How to Disclose a Vulnerability

To report a potential security vulnerability, please email: [email protected]

Do not use LinkedIN or email to make direct reports with staff members as this will delay the process.

Please include as much information as possible:

  • Details of the potential security vulnerability
  • List of potentially affected products and services (if possible)
  • CVSS Vector String (CVSS 3.1 or greater preferred)
  • CVSS Risk Score
  • Steps to reproduce the vulnerability
  • Proof-of-concept code (if applicable)
  • Names of any test accounts you have created (if applicable)
  • Your contact details (optional)
  • Whether you would like public acknowledgment for your contribution and the name you would like to be acknowledged under

Post-Disclosure Process

When you report a vulnerability, we will:

  • Respond to you within 2 business days
  • Recognise your contribution to our program if you choose public acknowledgment for your contribution

Please note:

  • We will not financially compensate you for reporting.
  • We will not share your details with any other organisation without your permission.

Acknowledgments

With your permission, we will publish the names or aliases of people who contribute to our Vulnerability Disclosure Program in the Security Hall of Fame

Vulnerability Disclosure Program