Vulnerability Disclosure programme
Protecting Nominet’s registry services from attack is key to maintaining the high standard of service people expect – the newly adopted Vulnerability Disclosure Programme will help us achieve that.
We are using an experienced third-party platform, HackerOne, with clear guidelines that will make it easy for security researchers to report vulnerabilities to us.The HackerOne service enables swift triage of any findings, and the team escalates them to Nominet for action. The platform will reward researchers with status points for submitting valid reports, which will raise their profile and reputation.
Public report of a vulnerability will be following mutual agreement by both parties, please see HackerOne’s guidelines for further information.
Programme Rules
- Automated tests/scans against our network will not be tolerated
- Please submit all vulnerabilities via HackerOne. The team will triage and track all vulnerabilities via HackerOne.
- Please provide detailed reports with reproducible steps. If the report lacks enough detail to reproduce the issue, the team may decide not to mark it as triaged.
- Do not destroy or disclose any data discovered
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
- When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced)
- Do not perform any attacks that will result in high volumes of traffic (such as Denial of Service attacks)
- Do not perform testing outside the scope of this policy
- Do not publicly disclose or share the vulnerability details without the written permission of Nominet
- Do not discuss details of your reports or any vulnerabilities (even resolved ones) outside of the programme without express consent from Nominet. Please follow HackerOne’s disclosure guidelines
Please visit our HackerOne page to review our full Vulnerability Disclosure Policy.