Responsible Disclosures

BT’s security team is committed to protecting our customers, our company, and our brands, and we therefore welcome investigative work into security vulnerabilities, carried out by well-intentioned and ethical security researchers. As part of this commitment, we continually test for new ways adversaries might attempt to impact our network, systems, and services. If you believe that you have identified a security vulnerability, then your values clearly align with our own, and we encourage you to report this into BT. It will then be reviewed by our security team. Where the information you have disclosed about a security issue is not public knowledge, BT will keep this information confidential and will not disclose the information to third parties without your permission, unless a disclosure is:

• required by law or legal process,
• in response to a lawful request from law enforcement, government agencies or other public bodies, or
• necessary or appropriate, as determined by BT in its sole discretion, to protect our customers, our company, or our brands.

We are committed to:

• investigating and resolving security issues on our network and services thoroughly
• working in collaboration with the security community
• responding promptly and actively

These terms and conditions are intended to provide guidance and does not provide indemnity or protection in respect of the compliance of such disclosures with the law or with other legal obligations.

Scope

This disclosure policy applies only to exploitable vulnerabilities in BT Group Plc products and services, subsidiaries and partners*  which are: -

• original, previously unreported, and not already discovered by internal procedures.
• please do not report vulnerabilities resulting from overwhelming a service with a high volume of requests (such as Denial of Service and Distributed Denial of Service attacks)
• non-exploitable vulnerabilities, or reports indicating that our services do not fully align with “best practice”, for example missing security headers.

The policy applies to everyone, including for example BT employees, third party suppliers and vendors, and customers of BT.

Bug bounty

It is not currently possible for us to offer a paid bug bounty programme. We will, however, show our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy wherever we can. Reporters of confirmed vulnerabilities, with their consent, will be recognised in our Hall of Fame. 

Reporting a vulnerability

If you believe you have found a vulnerability, then please fill the form below. If you discover personally identifiable information while exploring a security vulnerability, please stop your investigation immediately, report it straight away, and tell us what you were doing that led you to that discovery.

When sending us details, we will ask you for your name, an email address where we can contact you for further information, as well as any detailed description or information that you have that led you to this security vulnerability.

We will also ask you for details of the service affected, as well a description of how the vulnerability was discovered, or what steps you had taken when you encountered the vulnerability.

What happens next

You will receive notification within 24 hours from our security team, who will provide you with a reference number for all further communication and correspondence. We will also request at this stage, any further supporting documentation, for example ‘proof of concept’.

If you identify a vulnerability in accordance with this policy, then we give a promise back to you, that we will work with you to understand, confirm and address the vulnerability appropriately, as per the assessed risk, and resolve the issue within 90 days.

However, if we do not hear back from you within 48 hours of initial contact, we will not make any further attempts to re-engage with yourself after this period of time.

Guidance

By reporting a vulnerability to us, you are agreeing to the following:

• Conversing with BT about the vulnerability prior, to any public disclosure.
• All communication with BT is to be treated as confidential.
• Any reports are original to you (if you are reporting on behalf of someone else or a third party, you must have obtained permission on their behalf).
• BT and its partners/subsidiaries have unconditional permission to distribute or disclose the information in your report.

Legal bit

This policy is designed to be compatible with good practices among security researchers. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause BT to be in breach of any of its legal obligations, including but not limited to:

• The Computer Misuse Act 1990
• The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018

To the extent compatible with its legal obligations, BT will not take civil action against or seek prosecution of security researchers who report any security vulnerability on a BT service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.

Feedback

If you wish to provide feedback on these terms and conditions or policy, then please contact the BT Security team. The policy will evolve over time, with best practice and lesson learnt, therefore your input is encouraged and will be valued to ensure that this policy remains clear, complete, and relevant to anyone using it.

*BT Group PLC partners and subsidiaries include PlusNet, EE and Openreach