Skip to main content
Find a broadband deal
Test my broadband
Fix my broadband

Reporting Security Vulnerabilities/Issues

We take the security of our systems and user data seriously. We try to both minimise the data we hold on users, and ensure it is appropriately protected.

If you believe you have discovered a security vulnerability on our website or services, we encourage you to report it to us responsibly. We will commit to look into such reports promptly and address or mitigate them expeditiously.

Unfortunately, due to the influx of automated scanning activity, we (along with many other website operators) receive a lot of reports which are of low quality or outright incorrect and based on mass sending of e-mails. These usually involve requesting payment for disclosure.

Guidance for reports

  • We do not pay bug bounties — Please don’t ask for one as your report is likely to be marked as spam if it mentions these (using those words or otherwise).
  • No Authority to scan/probe — We do *not* grant permission for you to scan/probe our website looking for vulnerabilities. Such activities cause alerts for staff, take up valuable resources and may be reported to appropriate authorities as attempted attacks. Looking for vulnerabilities is not an acceptable defence unless we have engaged with you directly for this task in writing. We are not processing reports from automated scans (sorry but too many ‘security researchers’ we have engaged with over time who seem to know nothing about security and rely on these tools.)
  • Security Researchers — We expect reports may arise from genuine users who notice something in their day-to-day use of the site. We do not encourage anyone to use or register on the site for the sole or main purpose of finding vulnerabilities. We will act in good faith with users who find security issues, however we do not authorise any attempted physical attack vectors, social engineering, attacking third-party/upstream tools/networks, denial-of-service attacks, input modification/other exploit testing or any testing of performance or degradation thereof, or use of any tools. If you suspect a specific vulnerability and would like to seek our permission to test it, you may contact us using the details below.
  • UI Redressing — We do not process reports for UI redressing. Please do not send those to us.

The above restrictions are intended to discourage activity which results in our resources being misused or diverting staff time to deal with issues caused by security researchers. If you have find something you do think could be a vulnerability, e-mail us about it with details and seek our permission to explore it further. We do want to respond to genuine issues but not divert resources for unsolicited speculative scans that can look like attacks.

If you are a security researcher, please use your work e-mail address (not a gmail/hotmail/free e-mail one–too many automated reports from those in our experience).

Reporting

E-mail: team@ our domain
Subject: Security Vulnerability [termsok] – <Description>

Please make sure you include the subject line as above as this shows to us that you have read this page and helps us to weed out automated e-mails.

Please include:

  • Description of the vulnerability — A clear explanation of the issue
  • Steps to reproduce — Detailed instructions to replicate the vulnerability
  • Potential impact — How you think this could be abused
  • Affected systems — Which parts of our service are impacted
  • Discovery details — How and when you found the issue
  • Screenshots / Proof-of-concept — If safe to include this is helpful to provide context