Nominet treats the security of our services as a priority, endeavouring to as much as possible to keep systems secure. However, it is always possible that you can spot a vulnerability that we have missed. If you find a vulnerability with our services we’d like to hear from you and work towards fixing it as soon as possible.

If you believe you've found a qualifying security vulnerability, please submit a report in accordance with the guidelines below. We appreciate your positive work to support and improve our security and thank you in advance for your contribution.

Programme Rules

• ==Automated tests/scans against our network will not be tolerated==

• Please submit all vulnerabilities via HackerOne. All vulnerabilities will be triaged and tracked via HackerOne

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged

• Do not destroy or disclose any data discovered

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact

• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced)

• Do not perform any attacks that will result in high volumes of traffic (such as Denial of Service attacks)

• Do not perform testing outside the scope of this policy

• Do not publicly disclose or share the vulnerability details without the written permission of Nominet

• Do not discuss details of your reports or any vulnerabilities (even resolved ones) outside of the programme without express consent from Nominet. Please follow HackerOne's disclosure guidelines

Response Targets

| Type of Response | SLA | |

|--------------------|----------|----|

| First Response | 2 day | |

| Time to Triage | 2 days | |

| Time to Resolution* | Critical | 5 days |

| | High | 30 days|

| | Medium | 90 days|

| | Low | 90 days |

| | None | 90 days |

*While we aim to fix the issues within the provided SLAs, in some cases the actual resolution might take longer. We’ll try to keep you informed about our progress throughout the process.

What services and testing are part of the policy?

We welcome responsible disclosure of vulnerabilities associated with the following Nominet services:

• Services and websites within the nominet.uk domain hosted by Nominet;

• Registry services for .uk including whois, EPP and DAC;

• .uk nameserver infrastructure.

Please refer to our scope below:

In scope

• Domain: *.nominet.uk

• Domain: *.nominet.org.uk

• Domain: *.nic.uk

Out of scope

• Any domain or service not listed within the scope

• Services run on behalf of other parties, such as protective DNS, public-sector DNS, and gTLDs are out of scope

• Services operated or hosted by third parties are out of scope

• Testing for network level denial of service vulnerabilities

• Any testing that is likely to lead to degradation of user experience or disruption to services

• Physical testing, meaning through access to our offices or physical locations

• Social engineering (e.g. phishing, vishing, smishing)

• Any activity that could lead to the disruption of our service (DoS)

Test Accounts

Nominet will not provide test accounts to our services, such as Online Services (secure.nominet.uk) or MemberHub (members.nominet.uk). We welcome reports from Members or users with existing access to our services.

Excluded Vulnerabilities

Whilst we encourage any vulnerability submission affecting the security of Nominet assets, the following vulnerabilities are excluded from this program:

• Any vulnerability affecting services not within scope of the responsible disclosure policy

• Clickjacking on pages with no sensitive actions

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Attacks requiring MITM or physical access to a user's device

• Previously known vulnerable libraries without a working Proof of Concept

• Missing best practices in SSL/TLS configuration

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Missing HTTP security headers

• Missing best practices in Content Security Policy

• Missing HttpOnly or Secure flags on cookies that aren’t session identifiers

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• The availability of version information

• Any vulnerability that relies on the use end-of-life (EOL), out of date or otherwise unsupported software

• Vulnerabilities in software or hardware that have been previously published

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.