Responsible Disclosure
As an international insurer and reinsurer, the QBE Group continually works to protect our information and systems. We value the security community, and the investigative efforts of security researchers with ethical principles.
If you believe you’ve discovered a potential security vulnerability within the QBE Group, or one of our services or products, we would like you to let us know as quickly as possible by emailing our Global Security Operations Centre at security@qbe.com.
We are committed to reviewing all reports disclosed to us. We request that you provide us with a reasonable timeframe to complete our review and, if necessary, remediate or mitigate the potential security vulnerability.
Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.
QBE does not condone any malicious or illegal behaviour in the identification and reporting of security vulnerabilities and you should not engage in any activity that violates applicable laws.
Please be aware that QBE does not compensate for disclosure.
QBE's Responsible Disclosure Program
Any vulnerability research on our products and services must be conducted responsibly and in accordance with the Responsible Disclosure Program guidelines and all applicable laws. We allow you to conduct vulnerability research and testing only on our services and products to which you have authorised access.
The following types of research are strictly prohibited:
- Any attempt to make unavailable, degrade, or affect the availability of QBE’s systems and/or products.
- Accessing or attempting to access accounts or data that does not belong to you.
- Any attempt to modify or destroy any data.
- Executing or attempting to execute a denial of service (DoS) attack.
- Any activity that degrades our system’s performance.
- Sending or attempting to send unsolicited or unauthorised email, spam or any other form of unsolicited messages.
- Conducting social engineering (including phishing) of QBE Group employees, contractors, customers, or any other party.
- Any physical attempts against our property or data centres.
- Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products, customers, or any other party.
- Testing third party websites, applications or services that integrate with our services or products.
- The use of automated vulnerability scanners.
- Exfiltrating any data under any circumstances.
- Any kind of activity that portrays you as acting from or on behalf of QBE Group, its customers or affiliates.
- Any activity that violates any law.
To encourage responsible disclosure, we will not take legal action against security researchers acting in good faith in relation to the discovery and reporting of a potential security vulnerability, provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program. In the event of any non-compliance, we reserve all our legal rights.
How to Report a Potential Security Vulnerability
You can responsibly disclose potential security vulnerabilities to QBE’s Global Security Operations Centre by emailing security@qbe.com.
Please ensure that you include details of the potential security vulnerability and exploit with enough information to enable QBE’s security team to reproduce your steps.
When reporting a potential security vulnerability, please include as much information as possible, including:
- Date the vulnerability was observed;
- Location of the vulnerability (e.g. URL, domain etc);
- An explanation of the potential security vulnerability;
- A list of products and services that may be affected (where possible);
- Steps to reproduce the vulnerability;
- Prior conditions (e.g. logged in, not logged in, previous actions etc) where applicable;
- Names of any files that were uploaded to our systems;
- The names of any test accounts you have created (where applicable); and
- Your contact information.
What happens next?
Once you have reported a potential security vulnerability, we will acknowledge your report within 72 hours. We will endeavour to keep you informed of our progress towards addressing the potential security vulnerability and will also notify you when the matter has been addressed.
Subject to any regulatory and legal requirements, all reports will be kept strictly confidential, including the details of the potential security vulnerability as well as the identity of all researchers involved in reporting it.
We ask that you maintain confidentiality and do not make your research public without express written consent from us to ensure that we have completed our review and, if necessary, have remediated or mitigated the potential security vulnerability.
Please note that we do not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities. Any requests for monetary or other compensation will be deemed in violation of this Responsible Disclosure Program.