Vulnerability disclosure

Thanks for your interest in our Vulnerability Disclosure Program (VDP). We value the effort of the security community in helping us identify and address potential vulnerabilities.

This program aims to enhance the security of our systems and protect our users. By participating in our VDP, you agree to follow these guidelines.

Responsible disclosure

We encourage responsible disclosure of any discovered vulnerabilities.

We expect all parties involved to act in good faith, adhere to the law, and prioritise the safety and privacy of our users.

Scope

Our VDP covers all of our online assets and services, including websites, web applications, mobile applications, APIs, and other related technologies.

Vulnerabilities affecting our systems and services are eligible for disclosure.

Reporting a vulnerability

If you believe you’ve discovered a security vulnerability, please follow the steps below to report it responsibly:

  • Fill our vulnerability submission form with your findings.
  • Provide information, including a technical description of the vulnerability, affected product or service, steps to reproduce, and any proof-of-concept or exploit code. Optional is a recording of any vulnerability discovery, as this speeds up confirmation.
  • Include your contact information (name and email) for communication and recognition purposes.

Response and resolution

We will acknowledge receipt of your vulnerability report within 5 business days.

Our security team will conduct a thorough review and validation of the reported vulnerability. We aim to address all valid issues promptly and transparently.

We may coordinate with you to establish a vulnerability summary, and only publicise once the vulnerability
has been remediated.

Recognition and rewards

We appreciate your effort to improve our security, and may publicly recognise your contribution if you meet certain criteria, such as being the first to report a specific vulnerability.

While we do not offer a bug bounty, a discretionary reward will be considered depending on the vulnerability disclosed.

Coordinated disclosure

We endorse the principles of coordinated disclosure, acting in good faith, and collaborating to resolve security issues.

We commit not to pursue legal action against researchers who adhere to these guidelines.

In scope vulnerabilities

Our program covers a range of security vulnerabilities, including but not limited to:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Unauthorised access to sensitive data

Out of scope vulnerabilities

The following issues are considered out of scope for our VDP:

  • Physical attacks or attempts
  • Social engineering or phishing attacks
  • Volumetric distributed denial of service (DDoS) attacks
  • Vulnerabilities affecting outdated or unpatched browsers and platforms
  • Reports without clear security impact (e.g., clickjacking without sensitive actions)
  • Automated tools or scans without prior authorisation
  • Contact Information

Vulnerability reporting

Please provide details of the vulnerability you wish to report

Submit