Technical Vulnerability Reporting Process

1. Purpose

The purpose of this process is to provide a structured approach for reporting, assessing, and remediating technical vulnerabilities within the company’s systems, networks and applications.

2. Scope

This process applies to all employees, contractors, vendors and external researchers who identify security vulnerabilities in the company’s infrastructure, applications or data processing systems. We value those who take the time and effort to report security vulnerabilities according to this process. However, we do not offer monetary rewards for vulnerability disclosures.

3. Reporting a Vulnerability

Any individual who identifies a potential vulnerability should report it promptly via the web form on the dedicated website security page.

Reports should include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact
  • Any supporting evidence (e.g., screenshots, logs or proof-of-concept code)

4. Initial Triage and Acknowledgment

  • The security team will acknowledge receipt of the report to the reporter within 48 Hours/Two Working Days
  • An initial assessment will be conducted to verify the validity and severity of the vulnerability
  • The reporter may be contacted for further clarification if applicable

5. Risk Assessment and Prioritisation

  • Verified vulnerabilities will be classified based on their severity (Critical, High, Medium, Low)
  • The impact and exploitability will be analysed using industry-standard framework CVSS (Common Vulnerability Scoring System)
  • The security team will coordinate with relevant stakeholders to determine the remediation plan

6. Remediation and Mitigation

  • Depending on the severity, vulnerabilities will be addressed through patches, configuration changes or other mitigating controls
  • Critical vulnerabilities should be addressed within 24 Hours/One Working Day
  • Testing will be performed to ensure the applied fix effectively resolves the issue

7. Communication and Disclosure

  • Internal stakeholders will be informed about the vulnerability, its impact and the remediation timeline depending on the severity and remediation
  • If an external researcher reported the vulnerability, the company may provide updates on remediation progress if applicable
  • In cases where public disclosure is necessary, a coordinated disclosure process will be followed, working with affected vendors or regulatory bodies if required

8. Documentation and Continuous Improvement

All reported vulnerabilities and remediation actions are logged in our Service Desk for tracking and auditing purposes. Lessons learned from each reported vulnerability will be analysed to improve security practices and prevent similar issues in the future.

9. Guidance

The company encourages responsible vulnerability reporting and ensures that no action will be taken against individuals who report in good faith.

You Must NOT:

  • Break any applicable law or regulations
  • Access unnecessary, excessive or significant amounts of data
  • Modify data in the company’s systems or services
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities
  • Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests
  • Disrupt the company’s services or systems
  • Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers
  • Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support
  • Social engineer, ‘phish’ or physically attack the company’s staff or infrastructure
  • Demand financial compensation in order to disclose any vulnerabilities

You must:

  • Always comply with data protection rules and must not violate the privacy of the company’s users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services
  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law)

10. Legalities

This process is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the company to be in breach of any legal obligations. This process ensures the company effectively identifies, assesses and addresses vulnerabilities while fostering a culture of security awareness and continuous improvement.

Back to Security Centre
To top