Responsible Disclosure Policy

Introduction

At DFDS, we take security very seriously. This document outlines security procedures and general policies for disclosing security vulnerabilities. If you are considering reporting a vulnerability to us (the “Organisation”), we recommend reading this vulnerability disclosure policy fully before doing so.

While we value those who take the time and effort to report security vulnerabilities according to this policy, please note that we do not offer monetary rewards for vulnerability disclosures.

Reporting

If you believe you have found a security vulnerability, please submit your report to us using the following email: security@dfds.com.

In your report, include the following details:

  • The website, git repository, IP, or page where the vulnerability can be observed.

  • A brief description of the type of vulnerability (e.g., “XSS vulnerability”).

  • Steps to reproduce the disclosure.

Please ensure that your tests are benign, non-destructive, or serve as a proof of concept.

This information helps ensure that the report can be triaged quickly and accurately.

What to expect

After you submit your report, we will respond within 5 working days and aim to triage your report within 15 working days. We’ll keep you informed of our progress. Priority for remediation is assessed based on impact, severity, and exploit complexity. While you’re welcome to inquire about the status, please avoid doing so more than once every 14 days to allow our teams to focus on remediation.

We’ll notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution adequately covers the vulnerability. Once your vulnerability has been resolved, we welcome requests to disclose your report. We aim to unify guidance to affected users, so please continue to coordinate public release with us.

Guidance

You must NOT:

  • Break any applicable laws or regulations.

  • Access unnecessary, excessive or significant amounts of data.

  • Modify data in the Organisation's systems or services.

  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.

  • Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.

  • Disrupt the Organisation's services or systems.