Responsible Disclosure Program Policy

Updated 2 October 2023

Welcome to the Smart Responsible Disclosure Program Policy (this “Policy”). We take the security of our systems seriously. If you believe you have discovered a potential security vulnerability in any of our systems you must follow the guidance and procedures on this page.

Any reports or communications in relation to potential security vulnerabilities which do not follow this Policy will not be acknowledged or responded to. Any actions which do not comply with applicable laws may result in legal action.

Rules:

  • Any research carried out must be lawful. Criminal and/or otherwise unlawful acts will not be tolerated and dealt with seriously.
  • All submissions must be made through the Intigriti platform, you will need to register on the platform here.
  • All disclosures must be submitted as soon as possible. Unnecessary delays can lead to the Reporter not receiving any applicable reward.
  • Public disclosures of any vulnerabilities (for example, through social media or the press) are strictly prohibited. We reserve our right to take legal action or withhold rewards if this Policy is not followed.
  • If you do discover a security vulnerability and come into possession of personal data about Smart customers or employees, you must ensure this is deleted as soon as you have made the disclosure through the form below. Personal data is any information that can be used to identify an individual.

What to Report

Do report:

  • OWASP Top 10 vulnerability categories
  • Other vulnerabilities with demonstrated impact

Don’t report:

  • Theoretical vulnerabilities
  • Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
  • Disclosure of known public files or directories (for example, robots.txt)
  • Banner disclosure on common/public services without a PoC
  • Security header configurations or missing header
  • Lack of Secure/HTTPOnly flags on non-sensitive cookies – Phishing or Social Engineering Attack

Rewards

Any rewards are administered by Intigriti in line with their policies and processes. 

After reporting 

We aim to acknowledge your submission within 72 hours. We will validate the disclosure. Following this we will aim to contact you within five business days.

Submit vulnerability report

Register here on the Intigriti website.