Broker access

Responsible disclosure

British Gas Plus Responsible Disclosure policy

We take the security of our products and services very seriously – so the feedback we get from security researchers is appreciated. It helps us safeguard our services and protect our customers and their data.

We operate a policy of responsible disclosure for reporting security vulnerabilities.

How to report a suspected security vulnerability

If you believe you’ve found a potential vulnerability, please use the responsible disclosure form below and give us as much detail about it as possible.

Please don’t make any information about any vulnerabilities public, or do anything else that might put our customers’ data or our intellectual property at risk. And do not degrade our systems.

What actions will we take?

We’ll acknowledge your submission and review the reported issue. If you’re right and there is an issue, we’ll give you an estimate for how long it will take to sort out.

Activity that we don’t allow:

We don’t allow any activity that might interfere with customers using our services, or any activity that might result in the modification, deletion or unauthorised disclosure of our intellectual property or personal customer data. With that in mind, these are some of the specific things we don’t allow:

  • Public disclosure of personal, proprietary or financial information
  • The modification or deletion of data that isn’t yours
  • Interruption, degradation or outage to services (like Denial of Service attacks)
  • Spamming / social engineering / phishing attacks
  • Physical exploits and/or attacks on our infrastructure
  • Local network-based attacks such as DNS poisoning or ARP spoofing

Vulnerability submissions that are out of scope of our responsible disclosure policy:

  • Accessible non-sensitive files and directories (e.g. README.txt, robots.txt, etc.)
  • Fingerprinting / banner / version disclosure of common / public services
  • Username / email enumeration by brute forcing or by inference of certain error messages – except in exceptional circumstances (e.g. the ability to enumerate email addresses by incrementing a variable)