If you believe you've found a security issue within our software, websites, or infrastructure, please let us know as soon as possible. We actively encourage and welcome private and coordinated and responsible disclosures.
We'll work alongside individuals and researchers who disclose potential issues to us in a private/responsible manner, to address any security concerns/vulnerabilities in a timely manner.
As our security team are English speaking, we request that all reports be disclosed to us in English.
Typically, we'll respond within a matter of hours, however, we do request that you allow us up to 5 days for an initial acknowledgement before contacting us to chase a response.
Once we confirm your report, we then request that you allow us up to 30 days to address the issue. During this period, we'll keep you informed and provide you with timely updates. Once we believe that we've resolved the issue, we'll invite you to check / re-test and confirm.
In the case of a responsible disclosure, where the reporter also expresses an intent to publish details of the issue or vulnerability, we request that any such public disclosure be delayed until the issue or vulnerability has been fully addressed.
Once an issue or vulnerability has been resolved, we'll publish a security advisory in our security center where appropriate.
In the case that the vulnerability relates specifically to our MIDAS software (rather than to our websites), we request an further grace period of 90 days before a full public disclosure is made. This is to allow us to make a software update available to our customers and to allow them in turn the opportunity to update their software. A limited/partial public disclosure may be permitted by mutual consent in the interim, provided that it doesn't reveal any exploit method or include any PoC (Proof of concept) code.
Should any public disclosure be made, we request that we're provided with a link to the published details.
Whether a monetary reward is offered and the amount will be based upon a number of factors, including - but not limited to - the potential likelihood and severity of the reported issue occurring/being exploited, as well as the researcher's cooperation and adherence to these guidelines.
For issues we consider to be of low severity and/or low likelihood of being exploited, it's unlikely that we'll be able to offer a monetary reward.
Regardless of whether a monetary reward is offered, we will happily acknowledge and credit the researcher accordingly on confirmation of a valid report.
If legal action is initiated by a third party against you in connection with activities conducted under these guidelines, we will take steps to make it known that your actions were conducted in compliance with these guidelines.