Report a vulnerability
If you’ve discovered a security-related issue with any of our online systems it’s important you let us know so we can investigate and resolve it.
There are some things we ask you to do - and not to do.
Your cooperation with our vulnerability disclosure policy means we can protect you and our customers. And fix the issue as quickly as possible.
What you need to do
- Notify us. You can email our security team. If you think the vulnerability is serious, or you’re concerned about email security, you can send a PGP encrypted message to one of our team
- Tell us as much as you can about the issue, including:
- type of vulnerability
- whether the information has been published or shared with others
- step-by-step instructions or proof of concept to replicate the issue.
What not to do
We ask that you do not:
- share the vulnerability with anyone except us
- share any information belonging to our customers.
Our commitment to you
If you follow our requests and act in good faith we will:
- reply to you within 7 days to confirm we’ve received your email
- outline our planned response
- investigate and fix the issue as quickly as possible
- if appropriate, let you know the results of our investigations and how we plan to publicly disclose the issue
- only share the information you give us with our suppliers if it affects them - otherwise we’ll keep it confidential within InternetNZ
- if you find a significant vulnerability we’ll publicly acknowledge your contribution to keeping our online systems secure.
We will not initiate legal action against any security researchers who follow our requests and act in good faith.
Acting in good faith includes not carrying out any security research with the aim of:
- causing or attempting to cause a Denial of Service (DoS) condition
- accessing or attempting to access data or information that doesn’t belong to you
- destroying, corrupting - or attempting to destroy or corrupt - data or information that doesn’t belong to you.
Need more information?
Please contact us if you need more information or have any questions. You can email our security team. If you’re concerned about email security you can send a PGP encrypted message to one of our team.