Security Disclosure Policy

Security Disclosure Policy

At Immediate Media, we take the security of our systems and the protection of our users’ data very seriously. We appreciate the assistance of security researchers and members of the wider community in identifying and responsibly disclosing any vulnerabilities or security issues that may exist in our digital infrastructure. This Security Disclosure Policy outlines the process for reporting such issues to us.

Responsible Disclosure

If you believe you have discovered a security vulnerability or any other potential security issue in any of Immediate Media’s online platforms, websites, or applications, we encourage you to disclose it to us promptly, in a responsible manner. By practicing responsible disclosure, you help us maintain the security and privacy of our users and the integrity of our systems.

Reporting Process

To report a security issue, please follow the steps outlined below:

  1. Send an email to digital-security@immediate.co.uk, detailing the vulnerability or security issue you have discovered. Please provide a clear and concise description of the problem, including the affected system, component, or service.
  2. Include any relevant details that can help us reproduce and understand the vulnerability, such as steps to reproduce, the URL(s) or affected endpoints, sample code, screenshots, or any other evidence that demonstrates the vulnerability.
  3. If applicable, please provide the software version, browser version, device type, and any other relevant technical information that may aid in the investigation and resolution of the issue.
  4. Do not publicly disclose the vulnerability until we have had an opportunity to investigate and mitigate the issue, and we have had a reasonable amount of time to address the problem. We commit to responding promptly to your report, acknowledging receipt within three business days.

Scope

This Security Disclosure Policy applies to online platforms, websites, and applications owned and operated by Immediate Media that have a valid security.txt file. Only domains that include a security.txt file are considered in scope for security disclosure reports.

To be considered in-scope, vulnerability reports should exhibit a tangible real-world impact on Immediate Media, its users, or its customers if a malicious actor were to exploit the vulnerability.

Exclusions

Please note that the following types of reports are explicitly excluded from this policy (so please do not submit them):

  1. Any vulnerabilities or issues that fall outside the scope described above.
  2. Reports indicating that our service(s) and/or systems do not fully align with “best practice” unless a real-world impact can be demonstrated (e.g. missing security headers or missing SPF/DMARC records).
  3. Reports related to outdated or unsupported software versions or configurations unless an exploitable vulnerability can be demonstrated.
  4. TLS configuration weaknesses (e.g. “weak” cipher suite support, TLS 1.0 support, lucky32 etc).
  5. Denial of Service (DoS) attacks, Distributed Denial of Service (DDoS) attacks, or other forms of disruptive behaviour.
  6. Network data enumeration techniques (e.g. banner grabbing, existence of publicly available server diagnostic pages).
  7. Failure to invalidate user sessions.

Guidance

Security researchers must not:

  1. Access unnecessary amounts of data. For example, 2 or 3 records is enough to demonstrate most vulnerabilities (such as SQL injection).
  2. Violate the privacy of our users, staff, systems etc.
  3. Communicate any vulnerabilities or associated details via methods not described in this policy or with anyone other than the Immediate Media security team.
  4. Modify data in our services(s) and/or systems which is not your own.
  5. Disrupt our service(s) and/or systems.
  6. Disclose any vulnerabilities in Immediate Media’s services(s) and/or systems to 3rd parties and/or the public prior to Immediate Media confirming that those vulnerabilities have been mitigated or rectified.

If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact our security team for guidance.

Rewards

Immediate Media does not offer a paid-for bug bounty programme at this time; however, it acknowledges the efforts of security researchers in ensuring the security of our systems.

Policy Changes

Immediate Media reserves the right to modify or amend this Security Disclosure Policy at any time. Any changes will be effective immediately upon posting the updated policy on our website. We encourage you to review this policy periodically.

Thank you for your support in keeping Immediate Media and our users safe. We greatly appreciate your assistance in maintaining the security of our systems.