Guidance - You must NOT:
Break any applicable law or regulations.
Access unnecessary, excessive or significant amounts of data.
Modify data in the Organisation's systems or services.
Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
Share, redistribute or fail to properly secure data retrieved from the systems or services.
Disrupt the Organisation's services or systems.
Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
Communicate any vulnerabilities or associated details other than by means described in this document.
Social engineer, ‘phish’ or physically attack the Organisation's staff or infrastructure.
Demand financial compensation in order to disclose any vulnerabilities.
Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
Always comply with data protection rules and must not violate the privacy of the Organisation’s users, staff, contractors, services or systems.
What is firstname.lastname@example.org not intended for
The email@example.com email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support information on our products or services. All content other than that specific to security vulnerabilities in our products or services will not be processed.