Vulnerability Disclosure Policy


This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to, provided that’s website has a published security.txt file that references this policy.

We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it.

We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures.


If you believe you have found a security vulnerability relating to’s system, please submit a vulnerability report to

In your report please include details of:

  • Title: Concise summary categorizing the vulnerability and the site/application where it can be found. Example: Reflected XSS on the website
  • Asset (M): Web address, IP address, product, service name, etc.
  • Weakness: Such as a CVE
  • Severity: Such as low, medium, high, critical, and calculated via CVSS
  • Description of the Vulnerability (M):
    • A summary of the vulnerability
    • Supporting files (e.g., screenshot or video)
    • Any mitigations or recommendations
  • Steps to reproduce (M):
    • Clear and descriptive steps to reproduce the vulnerability
    • These should be benign, non-destructive, proof of concept.
  • Impact: The effects of successfully exploiting the vulnerability.
  • Contact details:
    • Name
    • Email Address (These details are optional to enable anonymous reporting)

(M) denotes mandatory field

What to expect

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify our guidance, so please do continue to coordinate public release with us.


You must NOT:

  • Break any applicable law or regulations.
  • Access unnecessary, excessive, or significant amounts of data.
  • Modify data in’s systems or services.
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Attempt or report any form of denial of service, e.g., overwhelming a service with a high volume of requests.
  • Disrupt’s services or systems.
  • Submit reports detailing non-exploitable vulnerabilities or reports indicating that the services do not fully align with “best practice”, for example, missing security headers.
  • Submit reports detailing TLS configuration weaknesses, for example, “weak” cipher suite support or the presence of TLS1.0 support.
  • Social engineer, ‘phish’ or physically attack’s staff or infrastructure.
  • Demand financial compensation in order to disclose any vulnerabilities.

You must:

  • Always comply with data protection rules and must not violate the privacy of any data holds. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).


This policy is designed to be compatible with common vulnerability disclosure best practice. It does not give you permission to act in any manner that is inconsistent with the law or which might cause, our customers, or partner organizations to be in breach of any legal obligations.

Scroll to Top