Vulnerablility disclosure

Thanks for your interest in our Vulnerability Disclosure Program (VDP). We value the effort of the security community in helping us identify and address potential vulnerabilities.

This program aims to enhance the security of our systems and protect our users. By participating in our VDP, you agree to follow these guidelines.

Responsible disclosure

We encourage responsible disclosure of any discovered vulnerabilities.

We expect all parties involved to act in good faith, adhere to the law, and prioritise the safety and privacy of our users.

Scope

Our VDP covers all of our online assets and services, including websites, web applications, mobile applications, APIs, and other related technologies.

Vulnerabilities affecting our systems and services are eligible for disclosure.

Response and resolution

We will acknowledge receipt of your vulnerability report within 5 business days.

Our security team will conduct a thorough review and validation of the reported vulnerability. We aim to address all valid issues promptly and transparently.

We may coordinate with you to establish a vulnerability summary, and only publicise once the vulnerability has been remediated.

Recognition and rewards

We appreciate your effort to improve our security, and may publicly recognise your contribution if you meet certain criteria, such as being the first to report a specific vulnerability.

While we do not offer a bug bounty, a discretionary reward will be considered depending on the vulnerability disclosed.

Coordinated disclosure

We endorse the principles of coordinated disclosure, acting in good faith, and collaborating to resolve security issues.

We commit not to pursue legal action against researchers who adhere to these guidelines.

In scope vulnerabilities

Our program covers a range of security vulnerabilities, including but not limited to:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Unauthorised access to sensitive data

Vulnerability reporting

Please provide details of the vulnerability you wish to report