System Vulnerability Disclosure Policy
This Policy sets out the terms and conditions of our Responsible Disclosure Programme.
If you have discovered any vulnerabilities in our systems, please report these to us as soon as possible.
How to report vulnerabilities to hummgroup
Report system vulnerabilities to us as soon as possible so that we can improve the safety and reliability of our systems promptly. To report any such system vulnerability, use the Submission Form at the end of this Policy.
Once we have received your report, a team of security experts will investigate your findings. We endeavour to provide an initial response to any system vulnerability report within three working days (please note that there may be a delay in responding due to workload or holidays).
Please be aware that this Policy is not intended to, and does not cover matters relating to complaints, fraud, and other similar matters.
Please see the section headed “Excluded from reporting,” below.
hummgroup will pay a reward for qualifying system vulnerabilities reported in accordance with this Policy, if the reported vulnerabilities have been remediated.
The amount of the reward is subject to an assessment of the severity of the system vulnerability reported, the type of website (static information sites versus transactional sites) concerned and the quality of the report we receive. If the report is of great value for the continuity and reliability of the company or our services, the reward will be considerably higher.
Please note: going public with your finding will exclude you from eligibility for the reward. Please report the system vulnerability in accordance with this Policy and talk to our security experts so that we may assess and solve the problem. No reward will be provided if we find evidence of abuse or violation of the terms of this Policy.
System Vulnerability Disclosure Requirements
The following system vulnerability disclosure requirements apply in order for a report to qualify for a reward under this Policy:
- do not cause any damage to our systems;
- do not utilise social engineering in order to gain access to our IT systems;
- never let your investigation disrupt our online and other services;
- do not store, share, compromise or destroy hummgroup or customer data. If personal data is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact hummgroup;
- do not put a backdoor in the system, not even for the purpose of showing the system vulnerability. Inserting a backdoor will cause even more damage to the safety of our systems;
- do not make any changes to or delete data from the system. If your finding requires you to copy the data from the system, do not copy more data than necessary. If one record is sufficient, do not copy any more records;
- do not attempt to penetrate the system any further than required for the purpose of your investigation. Should you have successfully penetrated the system, do not share this gained access with others;
- do not utilise any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system; and
- do not use techniques that can affect the availability of our online and other services.
Please be aware that:
- system vulnerabilities detected and reported by hummgroup employees or former employees are not eligible for any reward;
- if your reported system vulnerability has also been reported by another person, any associated reward will be granted only to the first person to report the system vulnerability in question;
- multiple reports for the same system vulnerability type with minor differences will be treated as one report (ie. only eligible for a single reward); and
- if you are eligible for a reward, you must provide your personal information and any other information we reasonably request in connection with your report, in order to provide you with the reward.
Excluded from reporting
The following are excluded from reporting under this Policy, and are not eligible for a reward:
- all reported system vulnerabilities without properly described evidence, report, proof of possible exploitation or any information reasonably required by hummgroup;
- vulnerabilities found on sites of organisations that are no longer part of hummgroup (former business units);
- our policies on presence or absence of SPF/DKIM/DMARC records;
- our policies on presence or absence of DNSSEC;
- Cross Site Request Forgery (CSRF) vulnerabilities on static pages (only on pages behind logon);
- redirection from HTTP to HTTPS;
- HTML does not specify charset;
- HTML uses unrecognised charset;
- cookie without HttpOnly flag set;
- absence of using HTTP Strict Transport Security (HSTS);
- clickjacking or the non-existence of X-Frame-Options on non-logon pages;
- cacheable HTTPS response pages on sites that do not provide money transfer capabilities;
- server or third party application version revealed and possible outdated without Proof of Concept on the exploitation of it;
- reports of insecure SSL/TLS ciphers and other misconfigurations;
- generic vulnerabilities related to software or protocols not under control of hummgroup;
- Distributed Denial of Service Attacks;
- phishing or Social Engineering techniques;
- reports of regular scans like Port scanners; and
- physical testing.
This Policy applies to system vulnerabilities only. Accordingly, the following matters are not eligible for a reward under this programme:
- reporting complaints about humm’s services or products;
- questions and complaints about the availability of humm websites or mobile applications;
- reporting Fraud or the presumption of fraud; or
- reporting malware.