Have you found a vulnerability in our systems?
If you discover a technical vulnerability within our systems, there's a process for reporting it. This process is referred to as Coordinated Vulnerability Disclosure (CVD). However, if you come across a vulnerability in a system or product that's not part of our platform, your initial step should be to report it to the owner of that particular system or product. You should only reach out to our technical team if the responsible organization does not respond adequately to address the vulnerability. In such cases, we'll step in as an intermediary and work to bring the vulnerability to their attention. For any inquiries or comments unrelated to cybersecurity, please feel free to contact us through our "Contact Us" page.
Furthermore, if you identify vulnerabilities that affect multiple systems or suppliers, don't hesitate to get in touch with our technical team. In these instances, we can assist in coordinating a solution for the identified vulnerabilities. You can report these vulnerabilities by using our contact form, and we'll reach out to you to facilitate the resolution process.
What vulnerabilities can be the subject of a CVD?
You can report vulnerabilities to us if they have the potential to compromise system security. For instance, these might include vulnerabilities that allow login forms to be bypassed or grant unauthorized access to databases containing personal information.
It's important to note that not every system defect qualifies as a vulnerability. Typically, the following defects are not likely to result in a security breach, and we kindly ask that you refrain from reporting such issues to us:
- Defects that do not affect the availability, integrity or confidentiality of data.
- The availability of the WordPress xmlrpc.php functionality when its abuse is limited to what is known as a 'pingback denial-of-service' attack.
- The opportunity to use cross-site scripting on a static website or a website that does not process any sensitive (user) data.
- The availability of version information, for example via an info.php file. One possible exception in this scenario is when the version information reveals that the system uses software that contains known vulnerabilities.
- The lack of HTTP security headers as used by mechanisms such as Cross-Origin Resource Sharing (CORS), unless this lack of a security header demonstrably results in a security problem.
- Certificates such as SSL or domain names that are about to expire.
If you are in doubt as to whether the defect you have found falls into one of the above exceptions, you can still report the defect to us. We will then determine whether the defect constitutes a vulnerability and take appropriate follow-up action.
How do you submit CVDs?
Please take the following steps:
- Fill in the contact form and tell us what you have found.
- In your report, please describe as clearly as possible how the problem can be reproduced, as this will help speed up the resolution process. Usually the IP address or URL of the affected system and a description of the vulnerability will suffice, but more complex vulnerabilities may require additional information. In such cases we will contact you.
- At the very least, please provide an email address or phone number so that we can contact you if we have any questions. We prefer to communicate by email.
Ensure that you:
- Report the vulnerability as soon as possible after you discover it.
- Do not tell anyone else about the security issue until you hear from us that it has been resolved.
- Handle knowledge of the vulnerability in a responsible manner, for example, by not taking any further action with the vulnerability other than what is necessary to demonstrate the vulnerability.
What must you not do?
You must never carry out any of the following actions:
- Introduce malware into the system.
- Copy, edit or delete data in the system.
- Make changes to the system.
- Access the system repeatedly or share access to the system with others.
- Perform brute force attacks to gain access to a system.
- Perform denial of service attacks or social engineering.
Principles of our CVD policy
- If you submit your report in accordance with the procedure, there will be no legal consequences in relation to your report. We will treat your report in confidence and will not disclose your personal information to any third party without your permission, unless required to do so by law or court order.
- We will only identify you as the discoverer of the vulnerability in question if you give us permission to do so.
- We will acknowledge receipt of the report within one working day and then send you an assessment of your report within three working days. We will also keep you informed of progress in resolving the issue.
- Our security team will endeavour to resolve the security issue you report within a maximum of 60 days. Once the problem has been resolved, we will consult with you to determine whether and how to publish details of the problem and its resolution.
- Our security team will also offer a reward to thank you for your help. This reward can range from a coffee, to a t-shirt, to gift vouchers, depending on the severity of the vulnerability and the quality of the report. To be eligible for a reward, the report must be a serious vulnerability that our security team has not seen before.