Responsible Disclosure


AGL takes security very seriously, and continually works to protect our assets, information, and systems. We value security researchers, customers and other members of the public and your investigative efforts within ethical principles.

If you believe you’ve discovered a potential security vulnerability within AGL, or one of our services or products, we would like you to let us know as quickly as possible by emailing us in accordance with the ‘How to Report a Potential Security Vulnerability’ section below.

We are committed to reviewing all emails within a reasonable timeframe and, if necessary, remediating or mitigating the potential security vulnerability.

Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.

AGL does not condone any malicious or illegal behaviour in the identification and reporting of security vulnerabilities and you must not engage in any activity that violates applicable laws.

Please be aware that AGL is unable to offer any form of compensation (including but not limited to monetary compensation or other financial benefit) for disclosure.

 

AGL's Responsible Disclosure Program


Any vulnerability research on our products and services must be conducted responsibly and in accordance with the Responsible Disclosure Program guidelines and all applicable laws. We allow you to conduct vulnerability research and testing only on our services and products to which you have authorised access.
The following types of research are strictly prohibited:

  1. Any attempt to make unavailable, degrade, or affect the availability of AGL’s systems and/or products  including denial of service (DoS) attacks
  2. Accessing or attempting to access accounts or data that does not belong to you
  3. Any attempt to modify or destroy any data.
  4. Sending or attempting to send unsolicited or unauthorised email, spam or any other form of unsolicited messages.
  5. Conducting social engineering (including phishing) of AGL Group employees, contractors, customers, or any other party.
  6. Any physical attempts assets and property.
  7. Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products, customers, or any other party.
  8. Testing third party websites, applications or services that integrate with our services or products.
  9. The use of automated vulnerability scanners.
  10. Exfiltrating any data under any circumstances.
  11. Any kind of activity that portrays you as acting from or on behalf of AGL, its customers or affiliates.
  12. Any activity that violates any law.

The following finding types are specifically out of scope:

  1. Missing HTTP or Cookie Security Headers/Flags
  2. TLS/SSL Issues unless  CVSS v3.0 base score above 9.0
  3. CVSS v3.0 base score below 4.0

You agree that we may use any information or material you disclose to us for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting. We are free to use any ideas, concepts, know-how, or techniques contained in any communication or material you send to us for any purpose whatsoever, including, but not limited to, fixing, developing, manufacturing, and marketing products. By submitting any information, you are granting us a perpetual, royalty-free and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer and sell such information.

 

How to Report a Potential Security Vulnerability

You can responsibly disclose potential security vulnerabilities to AGL’s Global Security Operations Centre by emailing security@agl.com.au. Please use encrypted email if available. By emailing us, you will be deemed to have accepted these AGL’s Responsible Disclosure Program terms.
Please ensure that you include details of the potential security vulnerability and exploit with sufficient information to enable AGL’s Cybersecurity team to reproduce your steps.
When reporting a potential security vulnerability, please include as much information as possible, including:

  1. Date the vulnerability was observed;
  2. Location of the vulnerability (e.g. URL, domain etc)
  3. An explanation of the potential security vulnerability;
  4. A list of products and services that may be affected (where possible);
  5. Steps to reproduce the vulnerability;
  6. Prior conditions (e.g. logged in, not logged in, previous actions etc) where applicable;
  7. Names of any files that were uploaded to our systems;
  8. The names of any test accounts you have created (where applicable); and
  9. Your contact information.

Any personal information you provide will be managed in accordance with AGL’s Privacy Policy, available at: https://www.agl.com.au/privacy-policy. Alternatively, you may choose to remain anonymous or provide a pseudonym.

 

What happens next?


Once you have reported a potential security vulnerability, we will acknowledge your report within 72 hours. We will endeavour to keep you informed of our progress towards addressing the potential security vulnerability and will also notify you when the matter has been addressed.
Subject to any regulatory and legal requirements, all reports will be kept strictly confidential, including the details of the potential security vulnerability as well as the identity of all researchers involved in reporting it. Once our investigation has finished, we may, subject to your consent, publicly recognise you on this page below. If a report is found to be a duplicate or is otherwise already known to us, the report will not be eligible for public recognition.
We ask that you maintain confidentiality, please do not make your research public without express written consent from us to ensure that we have completed our
Please note that we do not provide any form of compensation (including but not limited to monetary compensation or financial benefits) to individuals or organisations for identifying potential or confirmed security vulnerabilities. Any requests for any form of compensation will be deemed a violation of this Responsible Disclosure Program.

 

People who have disclosed vulnerabilities to us


Below are the names or aliases of people who have identified and disclosed vulnerabilities to us: