Submissions via: bugbounty@global.com
1. Information
It’s important that anybody can contact us, quickly and effectively, with security concerns or information pertinent to:
– Our customers’ privacy;
– Our suppliers’ privacy;
The confidentiality, integrity or availability of our systems.
We operate this responsible disclosure policy to help security professionals and others alert us of any security concerns as quickly as possible and with the minimum of fuss.
2. Response Targets
Global will make reasonable efforts to respond to submission to our programme in a timely manner. Please note the mailbox is only monitored:
– 09:00 – 17:00 (UTC) Monday to Friday. (Excluding UK public holidays)
We endeavour to try to keep you informed about our progress throughout the process and alert you if we’re delayed for any reason.
3. Disclosure Policy
We request that you always act responsibly and in the best interests of Global and our customers. In particular:
– Do not break the law;
– Do not use social engineering techniques, phishing, or physical attacks against our customers, infrastructure or staff;
– Do not perform any attack that could harm the reliability or integrity of our systems, services or data. DoS and/or spam attacks are not allowed;
– Do not put any Global data or customer data at risk;
– Do not make the bug public before it has been fixed; and
– When in doubt, email us.
Out-of-scope areas and exceptions include:
– DoS or DDoS.
– Destructive or performance-impacting attacks or testing.
– Social engineering or Phishing.
– Submissions relating to clickjacking.
– Submissions relating to tabnabbing.
– Submissions of TLS configuration weaknesses (e.g. “weak” ciphersuite support, TLS1.0, TLS1.1 support, sweet32 etc.) or Certificate issues.
– Submissions indicating that our services do not fully align with “best practice” e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc.) or suboptimal email related configuration (SPF, DMARC etc.).
– Simple rate-limiting issues without a security impact.
– Submissions entirely comprising output from commonly available automated scanners.
– Submissions that do not pertain to Global’s assets, and submissions that include the following domains: captivate.fm, globalacademy.com, mmdmedia.nl, store.global.com
– Submissions of non-exploitable vulnerabilities.
When reporting an issue to us:
Please highlight security issues in third-party apps or websites that integrate with global.com;
– Be specific;
– Provide a detailed and complete submission (masking or encrypting if necessary);
– Reference existing vulnerability information, where relevant.
It is important to follow the above guidelines so that we treat your communication as a responsible disclosure and not an attack or extortion.
Be aware that Global run internal scans and testing and we may have already be aware of any submission.
4. Rewards
All confirmed vulnerabilities will be considered, assessed and awarded a bounty based on severity as determined by our in-house team. We do not offer a published score against CVSS metrics or similar. Each submission is judged on its own merit, applying many factors such as severity, business function of the system, the cost to mitigate, etc.
We do not guarantee that a reward will be paid and Global’s assessment of the severity of an issue and the corresponding amount of any reward, if any, will be final.
To be eligible for a reward, you must agree and adhere to our rules set out in section 5 below.
5. Rules
By submitting a report, you agree to comply with the following rules:
1. The Terms of Use for global.com as set out here;
2. The terms of our Privacy Notice. In particular, you agree that we can use your submission and its contents to ensure the security, integrity and reliable operation of our systems, technology and business; and
3. The applicable sections of our Terms and Conditions and Regulatory requirements, outlined here.
4. Upon Global’s request, you will agree and sign: (i) a Non-Disclosure Agreement; and (ii) a Letter of Undertakings, formally confirming that you have not downloaded, made copies of or shared with any third parties any information accessed by you and belonging to Global, and undertaking that you will continue to do the same.
Your submission should contain the following:
– Clear description and evidence of the vulnerability (logs, screenshots, responses) ;
– Detailed steps to reproduce the issue;
– Any platforms, operating systems, versions that are relevant;
– Any relevant IP addresses or URLs;
– Any supporting evidence you have collected (logging, tracing, etc.);
– Your assessment of the exploitability or impact of the issue;
– Your name, role (if appropriate) and contact details.
Please preserve as much evidence as possible as we may need to examine it.
We reserve the right to consider certain sites or sub-sites to be ineligible for any bounty or disclosure rewards.
It is important that we respond quickly and effectively, however, we take steps to manage spam to quickly identify relevant email and therefore quality submissions. We discourage and will not respond to:
– Reports of generic vulnerabilities with no evidence of relevance to our systems;
– Denial-of-Service attacks (DoS);
– Reports of any information already in the public domain;
– Reports that are vague or non-actionable.
We will respond quickly and gratefully if we believe that you are faithfully reporting an issue inline with these terms and in the best interests of Global and its customers.
6. Safe Harbour
Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted in good faith and in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
7. Confidentiality
You must treat all information about our systems, staff or customers that comes into your possession or that you otherwise become aware of, which is not publicly available, as strictly confidential. You must not share or otherwise use it for any purpose other than emailing it to us as a submission as described above.
8. Invoicing Requirements
Once we have agreed to pay a reward you and sent you a purchase order you will be required to submit an invoice containing the following details:
– Your full name
– Your address
– Billed to: [Address]
– Invoice date
– the Purchase Order number provided in the format PO-00*****
– Full bank details including IBAN/SWIFT/BIC/Account Number (whichever is relevant for the country)
– Bank name
– Full Bank address
– Your registered bank account name – this must match the invoice name
– a description of work undertaken
– the value as set out in the Purchase Order.
We cannot make a payment unless all the above details are included in the invoice.
We will make commercially reasonable efforts to make payment to the bank account set out in a valid invoice. We will not make payments where the bank account holder’s name does not match the name you give on the invoice. If you are under 18 we will make a payment to your parent or legal guardian’s account.
We cannot make, and shall not be responsible for making a payment to you if:
– you are an individual subject to US, UK or EU sanctions;
– you reside in, or your bank account is located in, a jurisdiction subject to US, UK or EU sanctions; or
– payment is refused by our bank or your bank due to any other legal, governmental or regulatory restriction.
If our first attempt to pay you fails you may resubmit your invoice in accordance with the above requirements with alternative bank account details and we will reattempt the payment. If the payment fails to the alternative bank account we shall not re-attempt payment and you shall not receive the reward. Please therefore ensure your bank account is able to receive payments from UK banks.
This policy exists entirely at our discretion and may be modified or cancelled at any time.
Thank you for helping keep Global and our users safe!