Responsible Disclosure

At Domestic & General, we’re big believers in preserving the privacy and security of our customers and we value the effort put forth by security researchers who work tirelessly to make the internet a safer place.

We operate a policy of responsible disclosure whereby we work closely with security researchers to ensure any potential vulnerabilities submitted to us are reviewed and remediated as soon as possible.

If you believe you have identified a security vulnerability in one of our products, services, applications or systems, then we would love to work with you to fix it as quickly as possible.

When to report a security vulnerability?

If you think you have identified a security vulnerability that affects Domestic & General systems and/or customers then you should submit a report as soon as possible.

Guidelines

We request that all researchers follow the straightforward guidelines below:

  • Do not publicise the vulnerability without our explicit approval.
  • Do not access customer or employee personal information or any Domestic & General confidential information. If you accidentally access any of these, please stop testing and submit your report immediately.
  • Stop testing and report the issue immediately if you gain access to any non-public credentials.
  • Do not degrade the Domestic & General platform (e.g., Denial of Service), customer experience, disrupt production systems, or destroy data during your research.
  • Do not run automated vulnerability scans - we have the capability to do this ourselves.

What information should you provide in the report?

The more information you can provide, the faster we will be able to respond and remediate any potential vulnerabilities.

The below information is a loose template we ask researchers to follow when reporting vulnerabilities:

  • Your name
  • Date and time of discovery
  • Your phone number, if you are comfortable providing it
  • Technical details of the vulnerability
  • Raw HTTP requests and responses where appropriate. Any timestamps that would help us correlate logs would be useful
  • Clear and concise step-by-step guide to allow for validation. Attach any screenshots or videos to the email or via a private storage account. Do not upload any attachments to public storage websites

Reports that are out of scope and that are unlikely to facilitate a response:

  • Reports that do not constitute genuine security vulnerabilities or present an exceptionally low risk to our operations
  • Missing HTTP headers or DNS records
  • Spamming, social engineering, or phishing attacks
  • Accessible, non-sensitive files or directories (e.g., README.txt, robots.txt, etc)
  • Fingerprinting / banner / version disclosure of common applications and/or services
  • Username / email enumeration by brute forcing or by inference of certain error messages - except in exceptional circumstances such as the ability to enumerate phone numbers by incrementing a variable

Now that you’ve read the above, here’s how you can contact us:

Send through your report to responsible-disclosure@domesticandgeneral.com