Security Vulnerability Disclosure Program and Guidelines 

Introduction 
National Broadband Ireland (“NBI”) is committed to maintaining high security standards and values the expertise and help of the security researcher community.  If you think you have identified a security vulnerability with any of our products and services, NBI asks that you make a submission on this page.  If you intend to research NBI’s products and services for vulnerabilities make sure to read our vulnerability disclosure guidelines below. 

Vulnerability Disclosure Policy Guidelines 
NBI will review all disclosures adhering to these guidelines and do so as quickly as is practicable.  Researchers should note that NBI does not pay bug bounties (except in exceptional circumstances as determined by NBI) nor does it maintain a hall of fame.  NBI will not publicly acknowledge any vulnerability disclosures or resulting vulnerabilities. 

Researcher’s Responsibilities 
Researchers are asked to adhere to the following rules when assessing NBI’s products and services and submitting reports: 

  • Reports should only be submitted in English, using the vulnerability reporting link below; 
  • Take all necessary care not to attack, disrupt or degrade NBI products and services; 
  • Do not attempt to socially engineer NBI staff or the staff of our third parties; 
  • Do not exploit or attempt to exploit a vulnerability in an NBI product or service; 
  • Do not share details about the vulnerability with anyone until it has been resolved by NBI; and 
  • Be aware of your legal obligations (e.g. the GDPR) especially when it comes to personal data and the impact a disclosure may have on individuals. 

NBI’s Responsibilities 
NBI will adhere to the following rules when analysing vulnerability reports: 

  • Will treat submitted reports confidentially and will not share your personal details with third parties without your authorisation; 
  • Resolve vulnerabilities quickly and inform you when this happens; and 
  • Note that NBI does not pay bug bounties except in exceptional circumstances as determined by NBI or maintain a hall of fame. 

Qualifying Vulnerability Scope 
NBI considers any design or implementation issue that significantly affects the confidentiality, integrity and/or availability of our products, services and user data likely to be in scope for the vulnerability disclosure program. For example: 

  • Cross-site scripting with a valid header injection; 
  • Cross-site request forgery with a practical use for hackers; 
  • Mixed-content scripts facilitating man-in-the-middle attacks; 
  • Authentication or authorisation flaws; and 
  • Server-side code execution bugs. 

The following items are considered out of scope for a vulnerability report submission: 

  • Unauthorised physical access to NBI premises and sites including dumpster diving; 
  • Any activity that may cause or does cause a disruption to or an impairment of any NBI product or service; 
  • Any social engineering against NBI staff or contractors including but not limited to any form of phishing, tabnabbing or man in the middle attacks; 
  • Any vulnerability that involves the theft (even temporarily) and/or physical access to an NBI device of any description; 
  • Known vulnerabilities that have been published on the NIST National Vulnerability Database (https://nvd.nist.gov/); 
  • The following, without demonstrating a vulnerability: 
  • Clickjacking 
  • Comma Separated Values injection 
  • Missing HttpOnly or Secure flags on cookies 
  • Open redirects 
  • Static resources and/or publicly available information exposed in storage buckets 
  • Vulnerabilities only affecting non-NBI users of outdated or unpatched browsers; and 
  • Software version disclosure, descriptive error messages or headers and other expected system responses that maybe returned by stack traces, scans and application or server errors. 

Reporting a Vulnerability 

To report a vulnerability fill out the following form that can be found HERE

Once the form is submitted you will receive an automated response to the email address provided.  

All personal information will be processed in accordance with our Privacy Policy (/privacy-policy/).