Nominet treats the security of our services as a priority, endeavouring to as much as possible to keep systems secure. However, it is always possible that you can spot a vulnerability that we have missed. If you find a vulnerability with our services we’d like to hear from you and work towards fixing it as soon as possible.
If you believe you've found a qualifying security vulnerability, please submit a report in accordance with the guidelines below. We appreciate your positive work to support and improve our security and thank you in advance for your contribution.
==Automated tests/scans against our network will not be tolerated==
Please submit all vulnerabilities via HackerOne. All vulnerabilities will be triaged and tracked via HackerOne
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged
Do not destroy or disclose any data discovered
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced)
Do not perform any attacks that will result in high volumes of traffic (such as Denial of Service attacks)
Do not perform testing outside the scope of this policy
Do not publicly disclose or share the vulnerability details without the written permission of Nominet
Do not discuss details of your reports or any vulnerabilities (even resolved ones) outside of the programme without express consent from Nominet. Please follow HackerOne's disclosure guidelines
| Type of Response | SLA | |
| First Response | 2 day | |
| Time to Triage | 2 days | |
| Time to Resolution* | Critical | 5 days |
| | High | 30 days|
| | Medium | 90 days|
| | Low | 90 days |
| | None | 90 days |
*While we aim to fix the issues within the provided SLAs, in some cases the actual resolution might take longer. We’ll try to keep you informed about our progress throughout the process.
We welcome responsible disclosure of vulnerabilities associated with the following Nominet services:
Services and websites within the nominet.uk domain hosted by Nominet;
Registry services for .uk including whois, EPP and DAC;
.uk nameserver infrastructure.
Please refer to our scope below:
Any domain or service not listed within the scope
Services run on behalf of other parties, such as protective DNS, public-sector DNS, and gTLDs are out of scope
Services operated or hosted by third parties are out of scope
Testing for network level denial of service vulnerabilities
Any testing that is likely to lead to degradation of user experience or disruption to services
Physical testing, meaning through access to our offices or physical locations
Social engineering (e.g. phishing, vishing, smishing)
Any activity that could lead to the disruption of our service (DoS)
Nominet will not provide test accounts to our services, such as Online Services (secure.nominet.uk) or MemberHub (members.nominet.uk). We welcome reports from Members or users with existing access to our services.
Whilst we encourage any vulnerability submission affecting the security of Nominet assets, the following vulnerabilities are excluded from this program:
Any vulnerability affecting services not within scope of the responsible disclosure policy
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Missing best practices in SSL/TLS configuration
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Missing HTTP security headers
Missing best practices in Content Security Policy
Missing HttpOnly or Secure flags on cookies that aren’t session identifiers
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers
Open redirect - unless an additional security impact can be demonstrated
The availability of version information
Any vulnerability that relies on the use end-of-life (EOL), out of date or otherwise unsupported software
Vulnerabilities in software or hardware that have been previously published
Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
|Scope Type||Scope Name|
Firebounty have crawled on 2021-09-13 the program Nominet on the platform Hackerone.