It’s important that anybody can contact us, quickly and effectively, with security concerns or information pertinent to:
• Our customers’ privacy,
• Suppliers’ privacy, or
• The confidentiality, integrity or availability of our systems.
We operate this responsible disclosure policy to help security professionals and others alert us of any security concerns as quickly as possible and with the minimum of fuss.
2. Response Targets
Global will make reasonable efforts to meet the following response targets for ethical hackers participating in our programme:
• First Response Time (from submission): 3 days
• Triage Response Time (from submission): 4 days
We’ll try to keep you informed about our progress throughout the process and alert you if we’re delayed for any reason.
3. Disclosure Policy
We request that you always act responsibly and in the best interests of Global and our customers. In particular:
• Do not break the law;
• Do not use social engineering techniques, phishing, or physical attacks against our customers, infrastructure or staff;
• Do not perform any attack that could harm the reliability or integrity of our systems, services or data. DoS and/or spam attacks are not allowed;
• Do not put any Global data or customer data at risk;
• Do not make the bug public before it has been fixed; and
• When in doubt, email us (firstname.lastname@example.org).
Content injection (also “content spoofing” or “HTML injection”) is out of scope unless you can clearly demonstrate a significant risk to Global or its customers or suppliers.
When reporting an issue to us:
• Send your bug report to email@example.com;
• Please highlight security issues in third-party apps or websites that integrate with global.com;
• Be specific;
• Provide a detailed and complete submission (masking or encrypting if necessary);
• Reference existing vulnerability information, where relevant.
It is important to follow the above guidelines so that we treat your communication as a responsible disclosure and not an attack or extortion.
All confirmed vulnerabilities will be considered, assessed and awarded a bounty based on severity as determined by our in-house team. We do not offer a published score against CVSS metrics or similar. Each submission is judged on its own merit, applying many factors such as severity, business function of the system, the cost to mitigate, etc. We do not guarantee that a reward will be paid and Global’s assessment of the severity of an issue and the corresponding amount of any reward, if any, will be final.
To be eligible for a reward, you must agree and adhere to our rules set out in section 5 below.
By submitting a report, you agree to comply with the following rules:
2. the terms of our Privacy Notice. In particular, you agree that we can use your submission and its contents to ensure the security, integrity and reliable operation of our systems, technology and business; and
3. the applicable sections of our Terms and Conditions and Regulatory requirements, outlined here.
Your submission should contain the following:
• Clear description and evidence of the vulnerability (logs, screenshots, responses) ;
• Detailed steps to reproduce the issue;
• Any platforms, operating systems, versions that are relevant;
• Any relevant IP addresses or URLs;
• Any supporting evidence you have collected (logging, tracing, etc.);
• Your assessment of the exploitability or impact of the issue;
• Your name, role (if appropriate) and contact details;
Please preserve as much evidence as possible as we may need to examine it.
We reserve the right to consider certain sites or subsites to be ineligible for any bounty or disclosure rewards.
It is important that we respond quickly and effectively, however, we take steps to manage spam to quickly identify relevant email and therefore quality submissions.
We discourage and will not respond to the following exceptions that we consider to be out of scope:
• Reports of generic vulnerabilities with no evidence of relevance to our systems;
• Denial-of-Service attacks (DoS or DDoS)
• Destructive or performance-impacting attacks or testing
• Social engineering or Phishing
• Submissions of TLS configuration weaknesses (e.g. “weak” cipher suite support, TLS1.0, TLS1.1 support, sweet32 etc.) or Certificate issues.
• Submissions indicating that our services do not fully align with “best practice” e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc.) or suboptimal email related configuration (SPF, DMARC etc.)
• Simple rate-limiting issues without a security impact
• Submissions entirely comprising output from commonly available automated scanners
• Submissions that do not pertain to Global’s assets
• Submissions of non-exploitable vulnerabilities
• Reports of any information already in the public domain
• Reports that are vague or non-actionable.
We will respond quickly and gratefully if we believe that you are faithfully reporting an issue in line with these terms and in the best interests of Global and its customers.
6. Safe Harbour
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted in good faith and in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
You must treat all information about our systems, staff or customers that comes into your possession or that you otherwise become aware of, which is not publicly available, as strictly confidential. You must not share or otherwise use it for any purpose other than emailing it to us as a submission as described above.
This policy exists entirely at our discretion and may be modified or cancelled at any time.
Please contact Global by emailing firstname.lastname@example.org to ensure you reach the right team.
Thank you for helping keep Global and our users safe!