About this policy

This vulnerability disclosure policy covers any product or service provided by Fred or any of its subsidiaries, and to which the reporter has lawful access.

Fred does not permit any security testing to be performed on our systems unless formally engaged to do so. We do not provide any rewards or public credits for finding and reporting vulnerabilities (bug bounty program).

What this policy covers

This policy covers:

• any product or service wholly owned by our Fred to which you have lawful access

This policy does not cover:

• clickjacking
• social engineering or phishing
• weak or insecure SSL ciphers and certificates
• denial of service (DoS)
• physical attacks
• attempts to modify or destroy data.

How to report a vulnerability

If an individual / group has found a potential vulnerability in one of our systems, they are instructed to report the issue to Fred’s Information Security team (at Infosec@fred.com.au) as quickly as possible. If an individual / group reports a vulnerability under this policy, they must keep it confidential. Do not make the research public until we have finished investigating and fixed or mitigated the vulnerability.

What happens next

We will:

• respond to your report within 5 business days
• keep you informed of our progress