Security vulnerabilities exist in any software or hardware implementation and our team is fully committed to working with customers, security researchers and others who wish to offer up improvement ideas, new feature requests or information on perceived security vulnerabilities.
To maintain a coordinated and collaborative approach and to support ethical and responsible vulnerability reporting practices, we will not pursue legal action if we conclude that any disclosures are made and remain in line with the guidelines below.
In the first instance, please report any security concerns to firstname.lastname@example.org with an email address and telephone number that we can contact you on should we need to.
We take security very seriously and will respond as quickly as we can to any security issues identified. Please understand that some of our software is very complex and it may take a little time to review and update you. We will respect a finder’s work if the guidelines below are adhered to, and we will do our best to acknowledge your disclosures and assign the necessary resources to investigate and fix potential problems as quickly as we can.
- Provide us with clear and full details of the vulnerability, and tell us precisely how you found it in order for us to reproduce the conditions, verify and validate the flaw.
- Agree a reasonable amount of time for us to address the issue before sharing it publicly. In default of providing us with a stated time to fix the default delay to resolve is 30 days from your notification to us, but this is to be extendable if we request.
- When testing for a vulnerability respect and do not infringe the rights of third parties.
- We do not condone security research that:
- Utilises a vulnerability or carrying out activity further than is necessary to establish its existence (e.g. downloading more data than necessary to demonstrate the vulnerability or deleting or modifying any data).
- Involves potential or actual denial of service of our applications and systems.
- Involves brute force attacks to gain access to the system. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords.
- Includes requests for remuneration for the reporting of security issues either to us, or through any external marketplace. We do not run a bug bounty programme and do not offer compensation for any vulnerabilities that are reported. If requested, and these guidelines are followed, the security researcher will be credited on this page.