Responsible Disclosure
Responsible Disclosure Policy
We want to ensure people are able to quickly contact us with security concerns or information related to privacy or the confidentiality, integrity or availability of our systems. We value and appreciate responsible disclosures that support user privacy and security, and the purpose of this responsible disclosure policy is to enable security professionals and others to alert us in a quick and easy way.
Examples of when you might want to contact us include:
- vulnerabilities or breaches in our software or environments which threaten the confidentiality, integrity or availability of our data or our customers' data
- "copycat" applications or phishing attacks
- activity, discussion or data in any public forum which you believe constitutes a threat to Eurostar or our customers
How to contact us
Please send us an email at security@eurostar.com.
In your email, please include:
- a clear description of the issue (logs, screenshots, responses)
- any platforms, operating systems, versions that are relevant
- any relevant IP addresses or URLs
- any supporting evidence you have collected (logging, tracing etc.)
- your assessment of the impact of the issue
- your suggestion to combat the issue
Please keep relevant evidence as we may need it.
Responsibilities
To enable us to treat communications as responsible disclosures:
- Do be specific
- Do not put any Eurostar or customer data at risk
- Do provide sufficient detail
- Do reference existing vulnerability information where relevant
We reserve the right to deal appropriately with attack and extortion attempts.
How we will respond
If we believe an issue has been reported as a responsible disclosure in line with this policy, we will deal with the matter promptly.
We may need to send you a reply with follow up questions if needed.
We discourage and will not respond to:
- reports of generic vulnerabilities with no evidence of relevance to our systems
- reports of any information already in the public domain
- reports that are vague or non-actionable
- reports that are not in line with this policy
Financial rewards
We do not offer financial rewards.
Confidentiality
You must treat as confidential all information about our systems, staff or customers that you become aware of. We will treat your information in the same way.
Special thanks
Eurostar would like to thank everybody who contributed to make this website as secure as possible through their contributions. A special thank you to Naveen Kumawat for his contribution on DNS security and Oussama Kasmi for his contribution on web application security.