Responsible Disclosure Policy
We want to ensure people are able to quickly contact us with security concerns or information related to privacy or the confidentiality, integrity or availability of our systems. We value and appreciate responsible disclosures that support user privacy and security, and the purpose of this responsible disclosure policy is to enable security professionals and others to alert us in a quick and easy way.
Examples of when you might want to contact us include:
- vulnerabilities or breaches in our software or environments which threaten the confidentiality, integrity or availability of our data or our customers' data
- "copycat" applications or phishing attacks
- activity, discussion or data in any public forum which you believe constitutes a threat to Eurostar or our customers
How to contact us
Please send us an email at firstname.lastname@example.org.
In your email, please include:
- a clear description of the issue (logs, screenshots, responses)
- any platforms, operating systems, versions that are relevant
- any relevant IP addresses or URLs
- any supporting evidence you have collected (logging, tracing etc.)
- your assessment of the impact of the issue
- your suggestion to combat the issue
Please keep relevant evidence as we may need it.
To enable us to treat communications as responsible disclosures:
- Do not break the law
- Do not use social engineering techniques against our customers or colleagues
- Do not put any Eurostar or customer data at risk
- Do be specific
- Do provide sufficient detail
- Do reference existing vulnerability information where relevant
We reserve the right to deal appropriately with attack and extortion attempts.
How we will respond
If we believe an issue has been reported as a responsible disclosure in line with this policy, we will deal with the matter promptly.
We may need to send you a reply with follow up questions if needed.
We discourage and will not respond to:
- reports of generic vulnerabilities with no evidence of relevance to our systems
- reports of any information already in the public domain
- reports that are vague or non-actionable
- reports that are not in line with this policy
We do not offer financial rewards.
You must treat as confidential all information about our systems, staff or customers that you become aware of. We will treat your information in the same way.