Responsible Disclosure

Keeping our clients' information safe and secure is a top priority. We welcome the contribution of external security researchers and look forward to rewarding them for their invaluable contribution.

For some time, we’ve run a successful private Bug Bounty program through Bugcrowd, and are now extending this to a public program.

To submit a vulnerability you’ve found, you will first need to sign up for free as a Bugcrowd researcher and then submit your findings directly to our program. As Bugcrowd provides a structured approach to handling such submissions, we won’t consider any vulnerabilities submitted by other routes.

Program Guidelines

We will only reward the first report of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.

We will not negotiate in response to duress or threats (e.g. we will not negotiate the payout amount under threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public).

We are under no obligation to pay out for any bugs that are not submitted in accordance with this policy or any of the Bugcrowd policies. We reserve the right to withdraw this scheme at any time and shall have no obligation to pay out for any bugs submitted after closure of the scheme. We reserve the right to deduct a 10% penalty on valid and accepted submissions that do not follow the guidelines mentioned above.

Following these guidelines will help us triage the vulnerability more effectively from our side, which should result in faster processing of the submission.

Legal Notices and related information