It’s important that anybody can contact us, quickly and effectively, with security concerns or
information pertinent to:
• our customers’ privacy,
• Suppliers’ privacy, or
• the confidentiality, integrity or availability of our systems.
We operate this responsible disclosure policy to help security professionals and others alert
us of any security concerns as quickly as possible and with the minimum of fuss.
2. Response Targets
Global will make reasonable efforts to meet the following response targets for ethical
hackers participating in our programme:
• First Response Time (from submission): 3 days
• Triage time period (from submission): 4 days
We’ll try to keep you informed about our progress throughout the process and alert you if
we’re delayed for any reason.
3. Disclosure Policy
We request that you always act responsibly and in the best interests of Global and our
customers. In particular:
• Do not break the law;
• Do not use social engineering techniques, phishing, or physical attacks against our
customers, infrastructure or staff;
• Do not perform any attack that could harm the reliability or integrity of our systems,
services or data. DoS and/or spam attacks are not allowed;
• Do not put any Global data or customer data at risk;
• Do not make the bug public before it has been fixed; and
• When in doubt, email us.
Content injection (also “content spoofing” or “HTML injection”) is out of scope unless you
can clearly demonstrate a significant risk to Global or its customers or suppliers.
When reporting an issue to us:
• Please highlight security issues in third-party apps or websites that integrate with
• Be specific;
• Provide a detailed and complete submission (masking or encrypting if necessary);
• Reference existing vulnerability information, where relevant.
It is important to follow the above guidance so that we treat your communication as a
responsible disclosure and not an attack or extortion.
All confirmed vulnerabilities will be considered, assessed and awarded a bounty based on
severity as determined by our in-house team. We do not offer a published score against
CVSS metrics or similar. Each submission is judged on its own merit, applying many factors
such as severity, business function of system, cost to mitigate, etc. We do not guarantee
that a reward will be paid and Global’s assessment of the severity of an issue and the
corresponding amount of any reward, if any, will be final.
To be eligible for a reward, you must agree and adhere to our rules set out at section 5
By submitting a report, you agree to comply with the following rules:
b. the terms of our Privacy Notice. In particular, you agree that we can use your
submission and its contents to ensure the security, integrity and reliable
operation of our systems, technology and business; and
c. the applicable sections of our Terms and Conditions and Regulatory
requirements, outlined here.
Your submission should contain the following:
• Clear description and evidence of the vulnerability (logs, screenshots, responses) ;
• Detailed steps to reproduce the issue;
• Any platforms, operating systems, versions that are relevant;
• Any relevant IP addresses or URLs;
• Any supporting evidence you have collected (logging, tracing, etc.);
• Your assessment of the exploitability or impact of the issue;
• Your name, role (if appropriate) and contact details;
Please preserve as much evidence as possible as we may need to examine it.
We reserve the right to consider certain sites or sub-sites to be ineligible for any bounty or
It is important that we respond quickly and effectively, however we take steps to manage
spam to quickly identify relevant email and therefore quality submissions. We discourage
and will not respond to:
• reports of generic vulnerabilities with no evidence of relevance to our systems;
• Denial-of-Service attacks (DoS);
• reports of any information already in the public domain;
• reports that are vague or non-actionable.
We will respond quickly and gratefully if we believe that you are faithfully reporting an issue
in line with these terms and in the best interests of Global and its customers.
6. Safe Harbour
Any activities conducted in a manner consistent with this policy will be considered
authorized conduct and we will not initiate legal action against you. If legal action is initiated
by a third party against you in connection with activities conducted in good faith and in
accordance with this policy, we will take steps to make it known that your actions were
conducted in compliance with this policy.
You must treat all information about our systems, staff or customers that comes into your
possession or that you otherwise become aware of, which is not publicly available, as
strictly confidential. You must not share or otherwise use it for any purpose other than
emailing it to us as a submission as described above.
This policy exists entirely at our discretion and may be modified or cancelled at any time.
Thank you for helping keep Global and our users safe!