Introduction
PZ Cussons recognises and values the work of security researchers and the wider security community in identifying vulnerabilities.
We are committed to investigating and resolving security issues in a responsible and timely manner, and to working collaboratively with individuals who report vulnerabilities in good faith.
This policy explains how to report vulnerabilities and the standards expected for responsible disclosure.
Scope
This policy applies to vulnerabilities identified in PZ Cussons systems, applications, and services where:
- The vulnerability is original, previously unreported, and not already identified internally
- Testing is conducted in a responsible and non-disruptive manner
Out of Scope
The following security issues are currently not in scope (please don’t report them):
- Volumetric vulnerabilities (i.e. simply overwhelming our service with a high volume of requests).
- TLS configuration issues (e.g. weak ciphers, legacy protocols)
- Non-exploitable or theoretical vulnerabilities
- Missing security best-practice controls (e.g. CSP, security headers)
- Email configuration issues (e.g. SPF, DKIM, DMARC)
- Session management issues that are not directly exploitable
- Automated scan results without demonstrated impact
PZ Cussons appreciates the investigative work into security vulnerabilities which is carried out by well-intentioned, ethical security researchers. We are committed to thoroughly investigating and resolving security issues in our platform and services in collaboration with the security community. This document defines a method by which we can work with the security research community to improve our online security.
Reward / Recognition
PZ Cussons does not operate a formal bug bounty programme. We may, after due consideration, offer a token of appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy. This is entirely at our discretion. The uniqueness and rating of the vulnerability will be taken into consideration. PZ Cussons appreciates the investigative work into security vulnerabilities which is carried out by well-intentioned, ethical security researchers. We are committed to thoroughly investigating and resolving security issues in our platform and services in collaboration with the security community. This document defines a method by which we can work with the security research community to improve our online security.
Reporting a Vulnerability
If you believe you have identified a security vulnerability, please report it to:
Please include:
- The affected website or page in which the vulnerability exists
- A high-level description of the vulnerability (e.g. “Cross-Site Scripting”)
- Supporting context to assist with triage
Important:
- Do not include full exploit details in the initial email if the issue is still exploitable
- Provide safe, non-destructive proof of exploitation where possible
- Further detail will be requested if needed
What to Expect
After submitting a report:
- You will receive an acknowledgement, typically within 1 business day
- A reference number will be provided for tracking
- The report will be triaged and assessed
Remediation will be prioritised based on:
- Severity and business impact
- Likelihood of exploitation
You may follow up on status, but we ask that you limit enquiries to no more than once every 14 days.
You will be notified when the issue is resolved or a remediation plan is in place.
Researcher Guidelines
While conducting testing, you must:
- Act in good faith
- Minimise data access (only what is necessary to prove the issue)
- Respect the privacy of users, employees, and third parties
- Not modify, delete, or corrupt data
- Not disrupt systems or services
- Not publicly disclose vulnerabilities in PZ Cussons systems/services before resolution
All data accessed during testing must be:
- Handled securely
- Deleted as soon as no longer required, and no later than 1 month after resolution
If unsure whether an action is permitted, contact [email protected] before proceeding.
Legal Considerations
This policy does not permit any activity that violates applicable laws or regulations, including but not limited to:
- Computer Misuse Act 1990
- UK GDPR and Data Protection Act 2018
- Copyright, Designs and Patents Act 1988
PZ Cussons will not pursue legal action against individuals who:
- Act in good faith
- Follow this policy
- Do not cause harm, disruption, or privacy breaches
Feedback
If you wish to provide feedback or suggestions on this policy, please contact our security team: [email protected]. This policy will evolve over time, and your input will be valued to ensure that it is clear, complete and remains relevant.
Review
This policy will be periodically reviewed and updated to ensure it remains effective and relevant.