Responsible Security Disclosure
The security of our systems and the data we hold is a critical priority for Shippit. We take every effort to keep our data systems secure. Despite our efforts, there may still be vulnerabilities.
This policy allows security researchers to share their findings with us in good faith. If you think you have found a potential vulnerability in one of our data systems, services or products, please tell us as quickly as possible.
For more information about the legitimate domains and contact methods used by Shippit, see this Help Centre article.
About this policy
We are keen to engage with the security community. This policy gives a person a point of contact to directly submit their findings if they believe they have found a potential security vulnerability within systems operated by Shippit and its affiliate entities.
We will not compensate you for finding potential or confirmed vulnerabilities.
What this policy covers
This policy covers:
- Any product or service operated by Shippit to which you have lawful access
This policy does not cover:
- Clickjacking
- Social engineering or phishing
- Denial of service (DoS or DDoS) attacks
- Posting, transmitting, uploading, linking to, or sending any malware
- Physical attacks
- Attempts to modify or destroy data
- Attempts to extract or exfiltrate sensitive data
This policy does not authorise individuals or groups to undertake hacking or penetration testing against Shippit’s systems.
This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
How to report a vulnerability
To report a vulnerability, email security@shippit.com. Please include enough detail so we can reproduce your steps.
This may include:
- An explanation of the potential security vulnerability
- List products or services that may be affected (where possible)
- Steps to reproduce the vulnerability
- Proof-of-concept code (where applicable)
- Your name (or alias) and contact details.
If you report a vulnerability under this policy, you must keep it confidential.
Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability. Otherwise, Shippit may take legal action.
There is no expectation of compensation for you finding potential or confirmed vulnerabilities. If you have not exploited the vulnerability or prematurely disclosed its possible existence, Shippit will not take any legal action against you.
What happens next
All vulnerabilities will be reported to security@shippit.com, who may contact you if more information is required.
Upon verification of the reported vulnerability Shippit will:
- Respond to your report within 10 Business Days*
- Keep you informed of our progress
- Agree upon a date for public disclosure
- With your consent credit you as the person who discovered the vulnerability unless you prefer us not to
If you do not provide your name (or alias) and contact details, Shippit will still investigate your report, but will not be able to recognise you or contact you if there are any queries about your report.
* Business Day means a day that is not a Saturday, Sunday or public holiday in Sydney, New South Wales.
People who have disclosed vulnerabilities to us
Below are the names or aliases of people who have identified and disclosed vulnerabilities to us: