Your privacy is important to us. We want to better help you understand how and why we use your data. View our Privacy Statement for more details.

We also use cookies on for personalisation, analytics and ads. By continuing to browse you are agreeing to our use of these cookies.

1. Information

It’s important that anybody can contact us, quickly and effectively, with security concerns or

information pertinent to:

• our customers’ privacy,

• Suppliers’ privacy, or

• the confidentiality, integrity or availability of our systems.

We operate this responsible disclosure policy to help security professionals and others alert

us of any security concerns as quickly as possible and with the minimum of fuss.

2. Response Targets

Global will make reasonable efforts to meet the following response targets for ethical

hackers participating in our programme:

• First Response Time (from submission): 3 days

• Triage time period (from submission): 4 days

We’ll try to keep you informed about our progress throughout the process and alert you if

we’re delayed for any reason.

3. Disclosure Policy

We request that you always act responsibly and in the best interests of Global and our

customers. In particular:

• Do not break the law;

• Do not use social engineering techniques, phishing, or physical attacks against our

customers, infrastructure or staff;

• Do not perform any attack that could harm the reliability or integrity of our systems,

services or data. DoS and/or spam attacks are not allowed;

• Do not put any Global data or customer data at risk;

• Do not make the bug public before it has been fixed; and

• When in doubt, email us.

Content injection (also “content spoofing” or “HTML injection”) is out of scope unless you

can clearly demonstrate a significant risk to Global or its customers or suppliers.

When reporting an issue to us:

• Please highlight security issues in third-party apps or websites that integrate with;

• Be specific;

• Provide a detailed and complete submission (masking or encrypting if necessary);

• Reference existing vulnerability information, where relevant.

It is important to follow the above guidance so that we treat your communication as a

responsible disclosure and not an attack or extortion.

4. Rewards

All confirmed vulnerabilities will be considered, assessed and awarded a bounty based on

severity as determined by our in-house team. We do not offer a published score against

CVSS metrics or similar. Each submission is judged on its own merit, applying many factors

such as severity, business function of system, cost to mitigate, etc. We do not guarantee

that a reward will be paid and Global’s assessment of the severity of an issue and the

corresponding amount of any reward, if any, will be final.

To be eligible for a reward, you must agree and adhere to our rules set out at section 5


5. Rules

By submitting a report, you agree to comply with the following rules:

a. The Terms of Use for as set out here;

b. the terms of our Privacy Notice. In particular, you agree that we can use your

submission and its contents to ensure the security, integrity and reliable

operation of our systems, technology and business; and

c. the applicable sections of our Terms and Conditions and Regulatory

requirements, outlined here.

Your submission should contain the following:

• Clear description and evidence of the vulnerability (logs, screenshots, responses) ;

• Detailed steps to reproduce the issue;

• Any platforms, operating systems, versions that are relevant;

• Any relevant IP addresses or URLs;

• Any supporting evidence you have collected (logging, tracing, etc.);

• Your assessment of the exploitability or impact of the issue;

• Your name, role (if appropriate) and contact details;

Please preserve as much evidence as possible as we may need to examine it.

We reserve the right to consider certain sites or sub-sites to be ineligible for any bounty or

disclosure rewards.

It is important that we respond quickly and effectively, however we take steps to manage

spam to quickly identify relevant email and therefore quality submissions. We discourage

and will not respond to:

• reports of generic vulnerabilities with no evidence of relevance to our systems;

• Denial-of-Service attacks (DoS);

• reports of any information already in the public domain;

• reports that are vague or non-actionable.

We will respond quickly and gratefully if we believe that you are faithfully reporting an issue

in line with these terms and in the best interests of Global and its customers.

6. Safe Harbour

Any activities conducted in a manner consistent with this policy will be considered

authorized conduct and we will not initiate legal action against you. If legal action is initiated

by a third party against you in connection with activities conducted in good faith and in

accordance with this policy, we will take steps to make it known that your actions were

conducted in compliance with this policy.

7. Confidentiality

You must treat all information about our systems, staff or customers that comes into your

possession or that you otherwise become aware of, which is not publicly available, as

strictly confidential. You must not share or otherwise use it for any purpose other than

emailing it to us as a submission as described above.

This policy exists entirely at our discretion and may be modified or cancelled at any time.

Thank you for helping keep Global and our users safe!





Working at Global isn’t just a job – it’s an experience.

global careers