Shell Energy

Responsible Disclosure Policy

1. About this policy

As an operator and provider of multiple information technology services for Shell Energy, Shell Energy IT has a material interest in the ability to maintain adequate security of its systems and IT infrastructure for Shell Energy Australia and its customers. Via this Responsible Disclosure policy[1] (the “Policy”) the Information Risk Management (IRM)  department of Shell Energy IT provides a framework that allows for the safe, secure, and responsible disclosure of weaknesses in our information technology infrastructure which can be exploited to perform unauthorized actions within a system (“vulnerabilities”). The purpose of this Policy is to enable the vulnerability to be reported responsibly and to be remediated or patched in order to retain the integrity, continuity and security of our services.

If you are a security researcher and you encounter a vulnerability, we would like to cooperate with you to fix the vulnerability before this can be misused.

2. Scope

We request you to communicate your findings to us in connection with vulnerabilities in our systems as soon as reasonably possible in the manner described below. The following are examples of categories of vulnerabilities in scope and we are interested in:

  • Remote Code Execution
  • SQL injection vulnerabilities
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Encryption vulnerabilities
Out of scope are:
  • Comments about Shell Energy services
  • Reports on (potential) fraud or compliance issues
  • Reports on phishing campaigns or emails and/or viruses or malware
3. Reporting a vulnerability responsibly

Please describe discovered vulnerability or issue in detail with supporting evidence if possible so that our information risk experts can analyze the finding.

You can send the report to the [email protected] email address.

To the extent possible, please include the following in your report:

  • Type of vulnerability or issue
  • Service, product or URL affected
  • Special configuration or requirements to reproduce the issue
  • Information necessary to reproduce the issue
  • Impact of the vulnerability together with an explanation of how an attacker could find it and exploit it

We welcome anonymous reports but we will not be able to share updates on the follow-up of the report.

Our information risk analysts will assess the finding and respond as soon as reasonably possible. Each case will be analysed individually. We kindly request you to provide us with the reasonable opportunity and time for this analysis, to keep the information confidential, and not to disclose the vulnerability to others without consultation with our analysts.

Any personal details that we have received from your side will be processed by us in accordance with the Shell global privacy notice for business customers, partners and counterparties available at www.shell.com/privacy (also in your local language, depending on your location). Your data will be processed for the purpose of responding to your report and addressing the reported vulnerabilities. We will retain your data for as long as your report is investigated and up to one year thereafter.

4. Ethical engagement rules

Certain hacking activities constitute criminal actions. To protect you and us please act in good faith and follow these rules of ethical engagement:

  • report the vulnerability to us in the manner set out above;
  • report the vulnerability as soon as you can to prevent that threat actors exploit the vulnerability before we have a chance to fix it;
  • report the vulnerability with us while keeping the information confidential (jn particular if it concerns personal data);
  • do not disclose the vulnerability to others;
  • do not use social engineering to gain access to our IT infrastructure or services;
  • do not install your own backdoor in our systems to disclose the vulnerability as this may result in unnecessary damage and security risks;
  • do not exploit a vulnerability further than necessary to confirm the vulnerability finding;
  • do not copy, modify, or remove data from system (an alternative is to create a directory listing of the system);
  • do not modify the system;
  • do not use Denial of Service attacks or brute force access technology;
  • do not use phishing;
  • do not use aggressive automated scanning;
  • do not negatively impact the confidentiality, integrity or availability of our services;
  • do not execute code on our systems;
  • do not attempt to penetrate the system further than necessary to confirm the vulnerability finding.
5. What will we do with your report

An information risk analyst will be allocated to investigate the reported findings. Each case may be analysed individually. We aim to reply within three (3) business days to acknowledge your report. After the initial analysis of the report, we may request further information, evidence, and support in connection with your findings. If the nature of the report is sensitive and/or contains personal data, we may provide instructions to exchange information using encryption keys to safeguard the confidentiality and security of communications and provide you further instructions as to how to securely dispose of personal data.

6. No rewards

No monetary compensation is offered or provided in connection with reporting vulnerabilities. This Policy is not intended to encourage hacking attempts in connection with Shell information technology infrastructure, but to provide a responsible framework under which security vulnerability reports can be communicated and remediated. On a case-by-case basis, in consultation, we will consider providing public acknowledgement of your support.

7. Questions

If at any time you have questions about the above procedure, feel free to reach out to [email protected]

[1] This policy is based on guidance issued in 2013 by the national cyber security center of the Dutch Ministry of Security and Justice, available here: https://www.ncsc.nl/english/current-topics/news/responsible-disclosure-guideline.html

and the guidance issued in 2013 by Dutch Public Justice Department, available here: https://www.om.nl/publish/pages/22742/03_18_13_beleidsbrief_college_responsible_disclosure.pdf