Responsible Disclosure Policy
This Policy sets out the terms and conditions of our Responsible Disclosure Programme.
If you have discovered any vulnerabilities in our systems, please report these to us as soon as possible.
How to report vulnerabilities to hummgroup
Report vulnerabilities to us as soon as possible so that we can improve the safety and reliability of our systems promptly. To report a vulnerability, use the Submission Form at the end of this Policy.
Once we have received your report, a team of security experts will investigate your findings. We endeavour to provide an initial response to any vulnerability report within three working days (please note that there may be a delay in responding due to workload or holidays).
hummgroup will pay a reward for qualifying vulnerabilities reported in accordance with this Policy, if the reported vulnerabilities have been solved or have resulted in a change in our services.
The amount of the reward is subject to an assessment of the severity of the vulnerability reported, the type of website (static information sites versus transactional sites) concerned and the quality of the report we receive. If the report is of great value for the continuity and reliability of the company, the reward will be considerably higher.
Please note: going public with your finding before we have addressed the vulnerability it will exclude you from eligibility for the reward. Please talk to our security experts so that we may assess and solve the problem. Reward will be declined if we find evidence of abuse or violation of the terms of this Policy.
Responsible Disclosure Requirements
The following responsible disclosure requirements apply:
- Do not cause any damage to our systems
- Do not utilise social engineering in order to gain access to our IT systems
- Never let your investigation disrupt our online and other services
- Do not store, share, compromise or destroy hummgroup or customer data. If personal data that is not publicly available is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact hummgroup.
- Do not put a backdoor in the system, not even for the purpose of showing the vulnerability. Inserting a backdoor will cause even more damage to the safety of our systems
- Do not make any changes to or delete data from the system. If your finding requires you to copy the data from the system, do not copy more data than necessary. If one record is sufficient, do not copy any more records
- Do not attempt to penetrate the system any further than required for the purpose of your investigation. Should you have successfully penetrated the system, do not share this gained access with others
- Do not utilise any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system
- Do not use techniques that can affect the availability of our online and other services
- Vulnerabilities detected by hummgroup employees or former employees are excluded from any rewards
- If your reported vulnerability has also been reported by others, the reward will be granted to the individual who first reported it
- Multiple reports for the same vulnerability type with minor differences will be treated as one report (only one submission will be rewarded)
- If you are eligible for a reward, we will require your personal information to provide you with the reward
We will only use your personal information to get in contact with you and to undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission, unless we are required to do so by law, or if an external organisation takes over the investigation of your reported vulnerability. In that case, we will make sure that the relevant authority treats your personal information confidentially.
Excluded from reporting
The following are excluded from reporting under this Policy, and are not eligible for a reward:
- All reported vulnerabilities without a properly described evidence report of proof of possible exploitation
- Vulnerabilities found on sites of organisations that are no longer part of hummgroup (former business units)
- Our policies on presence or absence of SPF/DKIM/DMARC records
- Cross Site Request Forgery (CSRF) vulnerabilities on static pages (only on pages behind logon)
- Redirection from HTTP to HTTPS
- HTML does not specify charset
- HTML uses unrecognised charset
- Cookie without HttpOnly flag set
- Absence of using HTTP Strict Transport Security (HSTS)
- Clickjacking or the non-existence of X-Frame-Options on non-logon pages
- Cacheable HTTPS response pages on sites that do not provide money transfer capabilities
- Server or third party application version revealed and possible outdated without Proof of Concept on the exploitation of it
- Reports of insecure SSL/TLS ciphers and other misconfigurations
- Generic vulnerabilities related to software or protocols not under control of hummgroup
- Distributed Denial of Service Attacks
- Phishing or Social Engineering techniques
- Reports of regular scans like Port scanners
- Physical testing
Additionally, the following reports are not eligible for a reward under this programme:
- Reporting complaints about humm’s services or products;
- Questions and complaints about the availability of humm websites or mobile applications;
- Reporting Fraud or the presumption of fraud; or
- Reporting malware.