Coordinated disclosure policy

Coordinated disclosure policy

Coordinated what?

Around the world, security researchers spend their time trying to find the vulnerabilities in ISPs’ software and networks, in the hope that they find the weak spots before the bad guys. A coordinated disclosure policy helps those researchers make the vulnerabilities public once they’ve been found, so that consumers know they exist and ISPs can get them fixed.

Why we care

Because the Internet is an important national infrastructure that needs protecting. It’s important that when security vulnerabilities are discovered, there is a well-established and safe process for reporting and fixing them.

Why should you care?

Because you rely on the Internet and deserve to have confidence in the systems that we use. You want to make sure that the services you use on the Internet are as secure as possible. You also want to know that there are no potential holes that could lead to your personal data being exposed. Coordinated disclosure guidelines are designed to help make the Internet safer and more secure for everyone. ISPs should have a coordinated disclosure policy that provides advice on how they can disclose security vulnerabilities, and advice to customers on how the company will react to and address these reports in a mature and cooperative way.

How does your provider deal with Coordinated Disclosure?

 
2degrees Not Achieved
2degrees does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.
 
Actrix Not Achieved
Actrix does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.
 
Bigpipe Not Achieved
Bigpipe's FAQ includes information about how to contact them about security vulnerabilities, or bugs, in their systems. However, there is no dedicated communications channel or drop down contact form option for people to get in touch with their security team at this point in time.
 
Compass Not Achieved
Compass does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.
 
DTS Not Achieved
DTS does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.
 
Farmside Not Achieved
Farmside does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.
 
Flip Achieved
Flip publishes a coordinated disclosure on its website (see below). This policy includes direct email contact details for their network security team and information to enable security researchers to securely communicate with them.
 
Inspire Not Achieved
Inspire does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.
 
MyRepublic Not Achieved
MyRepublic does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.
 
Now Not Achieved
Now does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.
 
Orcon Achieved
Orcon publishes its coordinated disclosure on its website (see below). This policy includes direct email contact details for their network security team and publish information to enable security researchers to securely communicate with them.
 
Skinny Broadband Achieved
Skinny Broadband's FAQ asks people who have found a security vulnerability to email their support team (with a mailto link) who will escalate the issue to the network security team.
 
Slingshot Achieved
Slingshot publishes its coordinated disclosure on its website (see below). This policy includes direct email contact details for their network security team and publish information to enable security researchers to securely communicate with them.
 
Spark Not Achieved
Spark does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.
 
Trustpower Not Achieved
Trustpower does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.
 
Vodafone Not Achieved
Vodafone does not publish information telling people how to let them know about security vulnerabilities, or bugs, in their systems.