Security Disclosure Policy

Generation Global greatly appreciates investigative work into security vulnerabilities which is carried out by well-intentioned, ethical security researchers. We are committed to thoroughly investigating and resolving security issues in our platform in collaboration with the security community. This document aims to define a method by which Generation Global can work with the security research community to improve our online security.

Scope

This disclosure policy applies only to vulnerabilities in Generation Global platforms under the following conditions:

  • Only vulnerabilities which are original and previously unreported and not already discovered by internal procedures are in scope.

The following security issues are currently not in scope (please don't report them):

  • Volumetric vulnerabilities (i.e. simply overwhelming our service with a high volume of requests).
  • TLS configuration weaknesses (e.g. "weak" ciphersuite support, TLS1.0 support, sweet32 etc.)
  • Reports of non-exploitable vulnerabilities
  • Reports indicating that our services do not fully align with "best practice" e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc) or suboptimal email related configuration (SPF, DMARC etc)

Bug Bounty

Unfortunately, due to Generation Global non-for-profit status, it is not currently possible for us to offer a paid bug bounty programme. We would, however, like to offer a token of our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy. Reporters of qualifying vulnerabilities will be offered an appreciation letter from the Director of the programme.

Reporting a vulnerability

If you have discovered an issue which you believe is an in-scope security vulnerability, please email the address specified in the security.txt file including:

  • The website or page in which the vulnerability exists.
  • A brief description of the class (e.g. "XSS vulnerability") of the vulnerability. Please avoid including any details which would allow reproduction of the issue at this stage. Detail will be requested subsequently, over encrypted communications.

In accordance with industry convention, we ask that reporters provide a benign (i.e. non-destructive) proof of exploitation wherever possible. This helps to ensure that the report can be triaged quickly and accurately whilst also reducing the likelihood of duplicate reports and/or malicious exploitation for some vulnerability classes (e.g. sub-domain takeovers). Please ensure that you do not send your proof of exploit in the initial plaintext email if the vulnerability is still exploitable.