Responsible Disclosure Policy
At Gallagher we’re committed to outstanding quality and as relentless innovators we’re always working to improve our products. It’s because of this continuous development that we value the opinions of the security research community and welcome the opportunity to work with you to strengthen our solutions for the benefit of our customers and the wider communities they operate within.
As professionals in your field we ask you to please maintain a high standard of conduct and report any vulnerability found to Gallagher in the first instance, allowing us to respond and correct the issue without exposing our customers to any undue danger.
Below is our policy and what you can expect from us throughout the process.
If a fault has been found:
- Submit your findings to us using the form at the bottom of this page
- You can expect immediate acknowledgment of the receipt of your reported vulnerability and a member of our internal Security Advisory Committee will be in contact with you within one week. This person will be your main point of contact moving forward
Once a vulnerability has been reported
- You can expect a first response from us within thirty days of your submission. This will contain an analysis of your reported vulnerability and an outline of our plan going forward
- We will be in regular contact, to provide you with progress updates
- We may invite you to further collaborate with us to ensure the vulnerability is dealt with as effectively and efficiently as possible
Once a fix for a vulnerability has been released
- We will communicate the vulnerability along with the solution to any affected customers
- We will acknowledge your contribution in reporting and helping to resolve the vulnerability
Throughout this process, we ask you to please keep all details confidential, allowing us and our customers the necessary time to respond and resolve any vulnerability, while maintaining the highest possible level of integrity.