Responsible disclosure

How to report a security issue to us, and what you can expect in return.

Maintaining secure and private services matters to us and to our customers. No connected system is ever fully "secure", and issues inevitably occur. If you discover a security issue, we would like to know about it so we can address it as quickly as possible and better protect our clients and systems.

We operate a responsible disclosure policy, which sets out the guidelines for reporting issues. We believe responsible disclosure is the industry's best practice, and we recommend it to anyone researching security vulnerabilities.

Not an invitation to scan

We do not invite scanning of our network unless we have entered into an agreement permitting it. Unauthorised scans and investigations may trigger automated blocking of services, which costs engineer time and disrupts customers.

Reporting a security problem

Should you discover a problem, use our contact page to tell us as soon as possible. Please provide a way for us to contact you in case we need more information.

We ask you to give us a minimum of 30 days to resolve the issue before publicising it. If you have followed this responsible disclosure policy, we will not pursue legal action, and we will work with you as we resolve the issue.

We do not consider configuration issues such as SPF and DMARC, data-entry field validation, or error pages such as 404 to be in scope of this policy.