Vulnerability Disclosure Policy

Purpose

The Vulnerability Disclosure Policy provides guidance on how independent security researchers can advise Endeavour Group of any potential or identified security vulnerabilities within Endeavour Group.

Scope

This Vulnerability Disclosure policy applies to independent security researchers for any internet-facing systems or Software as a Service (SaaS) cloud services.

Policy

Endeavour Group holds significant amounts of information about our customers, Team Members, business partners and the communities we serve. We are entrusted with this information and care about protecting it. The security researcher community makes valuable contributions to the security of an organisation and we at Endeavour Group are eager to maintain a good relationship with this community. This relationship will help us to improve our own security.

1. Identifying Potential Security Vulnerabilities

If you believe you have discovered a security weakness (vulnerability), or potential security weakness, within Endeavour Group please report it to security@edg.com.au as quickly as possible. We will try to address all identified issues in a timely manner and ask that you allow us a reasonable timeframe to review and address the issue before it is publicly disclosed. Details of any potential security vulnerabilities must not be publicly disclosed without our express written consent from an appropriately authorised endeavour group employee.

It will be viewed as a collaboration if security vulnerabilities are reported to us in accordance with this policy. In the event that a security vulnerability is not reported in accordance with this policy, we reserve all of our legal rights.

We acknowledge that responsible security research will occur and will work with the security research community.

The following list, which is not exhaustive, contains the types of techniques that are not permitted during research activities:

  • Any activities that violate laws or regulations

  • Clickjacking

  • Social engineering or phishing attacks

  • Accessing or attempting to access accounts or data

  • Attempting to or actually or destroying data

  • Data exfiltration including site replication

  • Denial of service (DoS) or distributed denial of service (DDoS) attacks

  • Physical attacks

2.How to Report a Security Vulnerability

To report a security vulnerability to the Endeavour Group Cyber Security team email Security@edg.com.au with the subject: INDEPENDENT SECURITY RESEARCHER ADVISORY.

Please include as much information as possible to help us reproduce the vulnerability. This includes, but is not limited to:

  • An explanation of the potential security vulnerability

  • The steps are taken to produce the vulnerability

  • Your contact details

    When a report is made for a new vulnerability, we ask that you keep the information confidential and do not make your research public until we have completed our investigation and where applicable, have remediated or mitigated the vulnerability

3.What Happens Next?

Once a security vulnerability has been reported we will aim to respond to you with an initial response within 5 business days. We will keep you informed of our progress on addressing the potential vulnerability. We will also inform you when the vulnerability has been remediated or mitigated.

We do not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities but we will publicly recognise the researchers who discovered the vulnerability, subject to their consent.

4.Recognition for Identifying Vulnerabilities

Below are the names or aliases of researchers who have identified and disclosed security vulnerabilities to us in accordance with our Vulnerability Disclosure Policy: