Vulnerability Disclosure Policy

Introduction

This is the Barings Security Vulnerability Disclosure Policy; please read this disclosure policy fully before you report any vulnerabilities; this helps ensure that you understand and act in compliance with it.

Barings are committed to:

  • investigating and resolving security issues in our platform and services thoroughly
  • working in collaboration with the security community
  • responding promptly and actively

This page was last updated on 03/30/2023.

Scope & Guidance

You must NOT:

  • Break any relevant laws or regulations.
  • Access unnecessary or excessive amounts of data.
  • Modify data in Barings’ systems or services.
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Attempt or report any form of denial of service.
  • Disrupt or modify services or systems.
  • Submit reports on non-exploitable vulnerabilities or non-alignment with best practices.
  • Submit reports detailing TLS configuration weaknesses e.g. “weak” cipher suite support.
  • Communicate vulnerabilities other than by means described in the associated security.txt file.
  • Social engineer, ‘phish’ or physically attack the Organization’s staff or infrastructure.
  • Demand financial compensation in order to disclose any vulnerabilities.

You must:

  • Comply with data protection rules and must not violate the privacy of any data Barings holds. You must not, for example, share or redistribute data retrieved from Barings’ systems or services.
  • Securely delete all data as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
Reporting a vulnerability

If you have discovered something you believe to be an in-scope security vulnerability, first you should check the above details for more information about scope, then submit a report as described.

This should include:

  • The website or page where the vulnerability can be observed.
  • A brief description of the type of vulnerability.

Your report should provide a benign, non-destructive, proof of exploitation wherever possible. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as subdomain takeovers.

Bug bounty

We value those who take the time and effort to report security vulnerabilities according to this policy, however, we do not offer monetary rewards for vulnerability disclosures.

What to expect

After submitting your vulnerability report, you will receive an acknowledgement reply, usually within 5 working days of your report being received.  Barings will triage the reported vulnerability and respond as soon as possible to let you know whether further information is required, the vulnerability is in or out of scope, or is a duplicate report.

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Barings or partner organisations to be in breach of any legal obligations.