Responsible Vulnerability Disclosure Statement

Our Promise

Protecting the data we process is of significant importance to us and we believe that security is paramount to a great customer experience. Our job is to ensure our customers valuable data remains secure by reducing the risk of a security incident, which in turn protects our brands and assets.

We want to hear from you if you believe we can do better.

Guidelines

We are interested in your feedback - it will help us to improve. However, we need to ensure a few guidelines are followed by any security researchers or practitioners.

We require all researchers and practitioners to:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Perform research only within the scope set out below.
  • Use the identified communication channels to report vulnerability information to us.
  • Keep information about any vulnerabilities you’ve discovered confidential between Namesco Limited and yourself until we’ve had time to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research.
  • Work with you to understand and resolve the issue quickly (including confirmation of your report within 3-5 working days of submission).
  • Keep you updated on our efforts in resolving the issue.

Scope

names.co.uk - https://www.names.co.uk

In the interest of our customers, system preservation for our business and the wider internet community, we ask you to refrain from the following and have removed them from the scope:

  • Any tests on services hosted by 3rd party providers and services.
  • Tests of applications not under control of names.co.uk.
  • Physical testing such as office access (e.g. open doors, tailgating).
  • Social engineering (e.g. phishing, vishing).
  • Tests on any applications or systems not listed in the ‘in scope’ section above.
  • Network level Denial of Service (DoS/DDoS) vulnerabilities.

Safe Harbour

Being open and honest is key, but at the same time we need to establish respect for each other’s work. Some actions could be deemed illegal, dependant on the location of the service provided and the location of the security practitioner/professional.

We will provide the assurance that reporters of vulnerabilities that follow the guidelines set out in this statement, those that act in good faith to improve the security of our systems and those that wish to work with us, these persons will not be unduly penalised.

How to Report

If you believe you have found a vulnerability in one of our platforms or services, we want to hear from you.

Please send us details by emailing the team at vdp@names.co.uk

When submitting please include the following:

  • Description
  • Location
  • Potential impact
  • Detailed report of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
  • A valid return address for correspondence, questions, general thanks and acknowledgement of your work.

Please use English when submitting data to us.

Thank you!