The world's biggest companies, graded on vulnerability disclosure

“Contact: mailto:aws-security@amazon.com | AWS Vulnerability Disclosure Program: https://hackerone.com/aws_vdp | Policy: https://vdp.aws.security/”

“Walmart Responsible Disclosure Policy: 'We will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy.' Promissory non-pursuit, but testing NOT explicitly authorized, no CFAA/DMCA/ToS carve-out, no timeline → L3. security.txt live, Contact → policy.”

“This policy prohibits the performance of the following activities: Hacking, penetration testing, or other attempts to gain unauthorized access to UnitedHealth Group software or systems; Active vulnerability scanning or testing; | If you have discovered an issue that you believe is an in-scope vulnerability, please email securityreporting@optum.com | The following types of vulnerabilities are considered out of the scope for the purposes of this program: Volumetric vulnerabilities (e.g., Denial of Service or Distributed DoS); Reports of non-exploitable vulnerabilities... | The time to address a valid, reported vulnerability will vary based on impact of the potential vulnerability and affected systems. | For the security of our customers, UnitedHealth Group will not disclose, discuss, or confirm security issues. | Security researchers must not violate any law, or access, use, alter or compromise in any manner any UnitedHealth Group data.”

“For Product categories, the issue must affect the latest publicly available version (including beta versions) of iOS, iPadOS, macOS, tvOS, visionOS, or watchOS, with a standard configuration and on publicly available Apple hardware or Security Research Device. | For Services, the issue must relate to a web server or service owned by Apple or an Apple subsidiary. | Submit your report online to help ensure that you receive timely updates, can add additional information as needed, and can communicate with Apple security engineers about your report. | We make it a priority to resolve security and privacy issues as quickly as possible, and most reports are resolved within 90 days. | Publicly disclosing security issues before a fix is available makes you ineligible for all Apple Security Bounty rewards.”

“Google & Alphabet VRP (Bug Hunters), live since 2010. Scope: 'any Google-owned or Alphabet (Bet) subsidiary web service that handles reasonably sensitive user data'. Authorization language is RESTRICTIVE only: 'The Vulnerability Reward Program does not authorize the testing of Google Cloud customer applications...'. No affirmative safe-harbor, no 'will not pursue legal action', no CFAA/DMCA/ToS carve-out, no CVD deadline in the VRP policy. security.txt: Contact https://g.co/vulnz + security@google.com; Policy https://g.co/vrp.”

“we encourage you to report it by using this page. Your report will be forwarded for timely acknowledgement and verification. Verified issues will then be passed to our development teams for remediation on a timeline commensurate with the severity of the issue. | Any exfiltration or downloading of CVS Health/Aetna data, disclosure of confidential information, and/or disrupting our customers' experience are all outside the scope of this program and outside any protections it affords from legal recourse. | You are expected to engage in security research responsibly. | Per our policy, if you wish to take part in the CVS Health Vulnerability Disclosure Program, you are expected to follow these guidelines”

“No public channel. hackerone.com/berkshirehathaway is a legacy directory stub (GraphQL submission_state=null, policy=null, scopes=[]). security.txt 404 at all paths (genuine Apache 404, not WAF). Search hits claiming a VDP are AI inferences from the empty stub. Prior 'none' confirmed.”

“please submit it in the form below or email VulnerabilityReporting@McKesson.com | We will contact you to confirm that we've received your report and trace your steps to reproduce your research. We will work with the affected teams to validate the report. We will notify you of remediation | Do not hack, penetrate, or attempt to gain access to McKesson infrastructure, systems, or data | you agree to comply with McKesson's Terms of Service, McKesson's Privacy Policy, and all applicable state, federal, or international laws and regulations | you may not publicly disclose your findings or the contents of your Submission to any third parties. McKesson's program does not permit disclosure to any party outside of McKesson”

“No public channel. hackerone.com/exxonmobil is an unclaimed community stub — real-Chrome render reads 'There are no known guidelines for reporting potential security vulnerabilities to this organization.' + 'This page is not affiliated with ExxonMobil.' GraphQL: empty policy/email, offers_rewards=false. security.txt 404. Prior 'none' confirmed.”

“No org-operated channel. Only artifact is an unclaimed HackerOne community stub at hackerone.com/healthcareabc (AmerisourceBergen) — real-Chrome render: 'There are no known guidelines...' + 'This page is not affiliated...' + 'Claim this page'. No scope/submit/policy/email. Below L1. Prior 'none' confirmed.”

“Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions , Microsoft Bounty Legal Safe Harbor , Rules of Engagement , Bounty Program Guidelines | Cloud Programs Up to $100,000 USD ... Endpoint & On-Prem Programs Up to $250,000 USD ... Zero Day Quest Up to $100,000 USD | Report vulnerabilities privately and allow time for remediation before public disclosure. Adhere to our Rules of Engagement and program scope to ensure eligibility for awards. | Do not access, modify, or exfiltrate customer data. Never disrupt services or compromise uptime.”

“Typical Vulnerabilities Accepted: OWASP Top 10 vulnerability categories Other vulnerabilities with demonstrated impact | Typical Out of Scope: Theoretical vulnerabilities Informational disclosure of non-sensitive data Low impact session management issues Self XSS (user defined payload) | Work directly with the JPMorgan Chase Responsible Disclosure Program on vulnerability submissions | you will be allowed to disclose the vulnerability after a fix has been issued | Adhere to all legal terms and conditions outlined at ResponsibleDisclosure.JPMorganChase.com”

“LIVE HackerOne VDP (GraphQL submission_state=open, public_mode, offers_bounties=false). Safe Harbor: 'We do not intend to assert claims under computer abuse laws for activities conducted in a manner consistent with this policy... if legal action is initiated by a third party... we will take steps to make it known that your actions were conducted in compliance with this policy.' Promissory + CFAA reference, but testing NOT explicitly authorized, no DMCA/ToS carve-out → L3. security.txt at www.costco.com/security.txt (root). Prior L1 undercounted → L3.”

“VDP at cigna.com/legal/members/responsible-vulnerability-disclosure. Safe harbor: 'We will not pursue legal action against you if you act in good faith... comply with these Guidelines...'. CVD timeline: 'Please provide us a minimum of 90 days... After this 90 day period, you may publicly disclose...'. Submit via security@cigna.com (PGP). No explicit testing authorization, no CFAA/DMCA/ToS carve-out → L3 (has a 90-day clock but testing not authorized). Prior L1 undercounted → L3.”

“Coordinated Vulnerability Disclosure process: report via email to GMB-MedicalDeviceSecurity@cardinalhealth.com; scope = supported/connected medical devices. No safe-harbor or testing authorization. (hackerone.com/cardinal_health is a non-operational directory placeholder.)”

“This is a responsible disclosure program without bounties. | Your Submission must be for an Asset (herein referred to as "product" and/or "technology") that is identified as in scope of the NVIDIA Program(s). | You are required to report a discovered Vulnerability in a prompt and transparent manner through the Platform. | You agree to conduct your research within the bounds of Ethical Hacking. | You agree to practice coordinated disclosure in all of your security research conducted under the Program”

“First-party Meta Bug Bounty (not HackerOne). Testing auth + CFAA: 'We consider these terms to provide you authorization, including under the Computer Fraud and Abuse Act (CFAA)... to test the security of the products and systems identified as in-scope.' Safe harbor: 'we will not initiate a complaint to law enforcement or pursue a civil action against you.' DMCA: 'Meta will also not pursue... DMCA claims against you for circumventing the technological measures...'. ToS waiver: 'To the extent activities authorized by these Meta Bug Bounty terms are inconsistent with other terms of service... we waive those restrictions.' No day-count deadline → L4. Prior directory-L2 was a major miss.”

“No channel. Only HackerOne presence (antheminc, former name) is a community stub ('There are no known guidelines...', 'not affiliated with Anthem'). security.txt 404 (elevancehealth.com + anthem.com). Own cybersecurity page is internal governance only. Prior 'none' confirmed.”

“Active HackerOne VDP at hackerone.com/centene_vdp (HTTP 200, type VDP). 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you' + third-party defense = safe harbor + authorization (L3). policy_versions grep: zero CFAA/DMCA/ToS/timeline → no L4/L5. Prior 'none' matched the empty /centene stub, not the real _vdp program.”

“hackerone.com/bofa is an empty stub (GraphQL submission_state=null, validated against working controls). bankofamerica handle NOT_FOUND. Bugcrowd 404 (3 slugs). Synack ECONNREFUSED. security.txt 404. security-center is consumer fraud/phishing only, no researcher channel. Prior L1 was a false channel → L0.”

“hackerone.com/chevron is an unclaimed community stub (real-Chrome: 'There are no known guidelines...', 'not affiliated with Chevron', no submit). Bugcrowd 404. Synack ECONNREFUSED. No security.txt (404 www+apex). Own cybersecurity page is internal-only. Prior 'none' confirmed.”

“Live HackerOne VDP ('Ford - Vulnerability Disclosure Program'; also a Bugcrowd coordinated-disclosure engagement). Safe harbor (via FireBounty mirror + WebFetch): 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you' + third-party support. Scope *.ford.com/*.lincoln.com + FordPass + vehicle hardware. No CFAA/DMCA/ToS, no deadline → L3. Prior 'none'/timeout was wrong.”

“Live public HackerOne VDP (submission_state=open, public_mode). 'GM agrees not to pursue civil action against researchers who comply...'; activities consistent with the policy are '"authorized" conduct under the Computer Fraud and Abuse Act'; '...we will not bring a DMCA claim...'. No explicit ToS carve-out and no published CVD deadline (disclosure gated on remediation).”

“Live Bugcrowd VDP (state in_progress, open, scope 'Any Citigroup owned asset', no_reward). Citi's authored policy DISCLAIMS authorization/safe harbor: 'this program should not be construed as encouragement or permission to perform... Hack, penetrate or otherwise attempt to gain unauthorized access... Citi does not waive any rights or claims.' → real VDP but no safe harbor = L2 (authored prose governs over Bugcrowd's generic badge).”

“No current channel. security.txt 404 (live only in a single 2023 snapshot, gone since). Synack host homedepot.responsibledisclosure.com now NXDOMAIN (VDP decommissioned). No HackerOne/Bugcrowd. TechCrunch (2025-12-12): 'Home Depot does not have a way to report security flaws, such as a vulnerability disclosure or bug bounty program.' Prior 'none' confirmed.”

“Working vulnerability-report web form on own domain (fields for location/URL, repro steps, impact, PoC, reporter email). No safe-harbor/no-legal-action promise, no testing authorization; reports may be shared with law enforcement. (hackerone.com/fanniemae is a directory placeholder.)”

“Live Bugcrowd VDP (no_reward, open). Explicit authorization: 'Testing is authorized on the websites and applications in scope.' Safe harbor: 'We consider any security research conducted in good faith and in compliance with this Policy to be authorized conduct and we will not initiate legal action against you... If legal action is initiated by a third party... we will take steps to make it known that your actions were authorized.' No CFAA/DMCA/ToS carve-out; disclosure gated on consent (no timeline) → L3. security.txt routes Contact to bugcrowd.com/kroger-vdp. Prior L1 undercounted → L3.”

“Official 'Report Security Vulnerability' page; submit via vecirt-incident@verizon.com (routed to CIRT). Explicitly anti-safe-harbor: 'Verizon does not endorse, solicit, or request independent testing... for security vulnerabilities' and requires following all Terms and Conditions. No carve-out, no timeline.”

“CONFIRMED LIVE HackerOne VDP: GraphQL team(handle:'phillips66co') resolves to a real registered program 'Phillips 66' (energy co, distinct from healthcare 'philips'). No-bounty VDP. BUT policy markdown is UNREADABLE via every unauthenticated channel (live + Wayback are JS shells; GraphQL policy:null), so exact level could not be read — ≥L2 floor, L3/L4/L5 indeterminate. Level NOT guessed (unverified). security.txt 404. Bugcrowd 404.”

“No channel for MPC. No owned VDP/PSIRT/security page — corporate ToU is anti-testing: prohibits 'attempting to probe, scan, or test the vulnerability of any system' and 'will cooperate with law enforcement'. HackerOne /marathonpetroleum = Page not found. Bugcrowd 404. Synack no DNS. security.txt absent (Wayback 404 both 2023 snapshots). Prior 'none' confirmed (hostile posture).”

“Live security.txt (200): 'Contact: mailto:itsecurity@stonex.com / Encryption: .../itsecurity.pgp / Hiring: ...'. NO Policy: field, no scope, no submission form, no safe-harbor. Contact-only. No owned VDP, no HackerOne/Bugcrowd, no Synack. Prior L1 confirmed.”

“State Farm will not take legal action against you or revoke access to State Farm applications | If you have noticed an information security issue in a State Farm system while using www.statefarm.com or a State Farm mobile application, we want to hear about it | Please disclose issues using the Vulnerability Disclosure Communication form located on this web page | State Farm will work to address the issue in a timely fashion | We reserve all legal rights in the event of noncompliance”

“VDP on own domain: 'applies to all internet-facing assets...'. Triaged by Bugcrowd; no bounty. No safe-harbor/no-legal-action promise, no testing authorization, no carve-out, no timeline.”

“security.txt resolves at ROOT (humana.com/security.txt; /.well-known/ 404s), HTTP 200: 'Contact: mailto:bugbounty@humana.com / Expires: 2026-01-01 / Hiring: ...'. No Policy: field, no public HackerOne/Bugcrowd program. Contact-only. (Expires date is in the past.)”

“Real open HackerOne program (GraphQL submission_state=open, public_mode, bounties $50-$3,000). Scope + submit path = L2. NO safe harbor/authorization/carve-out. Restrictive: 'You may only exploit... your own accounts. Testing must not violate any law...' + injunctive-relief threat. No security.txt. Prior L1 undercounted.”

“Real open HackerOne program (GraphQL submission_state=open, public_mode, bounties). Scope (*.gs.com, *.goldmansachs.com) + Submit = L2. No promissory safe harbor (only HackerOne boilerplate). No carve-out, no timeline ('will not be publicly disclosing reports at this time'). Prior L1 undercounted.”

“Real public Bugcrowd program 'Comcast Xfinity VDP' (slug comcastvdp, participation=open, 1,459 rewarded). Brief safeHarborStatus='full' (= CFAA/CMA + DMCA + ToS/AUP carve-outs per Bugcrowd/disclose.io definition). 'Testing is only authorized on the targets listed as in scope.' No published disclosure deadline → L4. xfinity.com/vulnerabilityreport routes here. (hackerone.com/comcast is a null stub.) Prior L1 was a major miss.”

“First-party policy: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.' + third-party defense language. Testing authorized + non-pursuit = L3. No CFAA/DMCA/ToS carve-out, no disclosure timeline. Email submission; public disclosure prohibited without permission. Prior L1 undercounted.”

“Typical Vulnerabilities Accepted: OWASP Top 10 vulnerability categories Other vulnerabilities with demonstrated impact | Typical Out of Scope: Theoretical vulnerabilities Informational disclosure of non-sensitive data Low impact session management issues Self XSS (user defined payload) | To work directly with ResponsibleDisclosure.com on vulnerability submissions in good faith | you will be allowed to disclose the vulnerability after a fix has been issued | Not to engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems”

“No channel. security.txt 404 both paths (HTML). HackerOne valero = team does not exist; valeroenergy = null community stub. Bugcrowd 404. Synack no DNS. Legal Notice PROHIBITS testing ('Probes, scans, or tests the vulnerability... without proper authorization'); only generic privacy emails. Prior 'none' confirmed.”

“Contact: https://www.dell.com/support/dell-vulnerability-response-policy # Bug Bounty Program - Applications | Contact: https://bugcrowd.com/dell-com # Bug Bounty Program - Products | Contact: https://bugcrowd.com/dell-product | Policy: https://www.dell.com/support/dell-vulnerability-response-policy”

“Policy on own domain (security.target.com/vdp/). Scope: 'any of Target's guest-facing online services.' Safe harbor: 'Target will not take legal action against you related to any activities conducted in a manner consistent with this Policy and otherwise in good faith.' Submissions via HackerOne. No explicit authorization to test or statutory carve-outs.”

“security.txt at /.well-known/ (confirmed via Wayback; live edge WAF-blocks non-browsers). Policy tesla.com/legal/security: 'pre-approved, good-faith security researcher... has not accessed a computer without authorization... under the CFAA' (CFAA) and 'will not bring a copyright infringement claim under the DMCA... who circumvents security mechanism' (DMCA). Authorization gated on pre-registration; no explicit ToS waiver; disclosure 'reasonable time' (no fixed deadline) → L3. Public Bugcrowd program bugcrowd.com/tesla.”

“Real open HackerOne program (GraphQL submission_state=open, public_mode, 'The Walt Disney Company'). Conditional non-pursuit: 'If we conclude, in our sole discretion, that you have complied... TWDC will not pursue claims against you in response to your report.' Testing NOT broadly authorized; no carve-outs; SLAs are response targets not a CVD deadline. Scope incl. Disney+, ESPN, Marvel, etc. Prior L1 undercounted → L3.”

“Vulnerability Reporting Program scope = 'J&J's infrastructure, websites, public APIs, and applications'; report via vulnerability_reporting@its.jnj.com (devices via productsecurity@jnj.com). 10-business-day acknowledgment; asks to 'Comply with all laws.' No safe-harbor language. Also runs hackerone.com/jnj.”

“HackerOne 'pepsico_vdp' (GraphQL submission_state=open, public_mode). Real VDP with scope/rules but NO safe-harbor/legal/authorization language → L2. Bare 'pepsico' = team does not exist; no security.txt (404); no Synack/Bugcrowd. Prior L1 undercounted.”

“Boeing will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. | We consider activities conducted consistent with this policy to constitute authorized access under anti-hacking laws. | To the extent your activities are inconsistent with certain Boeing terms and conditions, we waive those restrictions for the limited purpose of permitting security research under this policy. | Provide Boeing reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.”

“HackerOne 'ups' (UPS VDP, GraphQL open/public_mode). Safe Harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party... we will take steps to make it known that your actions were conducted in compliance with this policy.' Authorization + non-pursuit but no CFAA/DMCA/ToS carve-out, no deadline → L3. No security.txt (404). Prior L1 undercounted.”

“VDP on own domain with embedded web form. Scope: 'public facing RTX product, system, or asset'. Asks to 'Provide RTX reasonable time to resolve.' No safe-harbor, no authorization, no timeline. Also listed on hackerone.com/rtx.”

“VDP managed by Synack. Scope *.fedex.com. Safe harbor: 'Synack will not bring a private action against you or refer the matter for public inquiry.' Submit via fedex.responsibledisclosure.com. (Trust Center landing page intermittently 503s.)”

“Only an empty HackerOne community stub (hackerone.com/progressivecorp — GraphQL state=null, policy=null, external_program). Own /security/ 404; security.txt both paths = branded 404. No real HackerOne program (4 slugs none); no Bugcrowd (404); no Synack (NXDOMAIN). Prior 'none' confirmed.”

“HackerOne 'lowes' (Lowe's Companies VDP, GraphQL open/public_mode). Non-pursuit: "Lowe's will not take legal action against or suspend or terminate the accounts of those who discover and report security vulnerabilities in accordance with this Vulnerability Disclosure Policy." Full scope + SLAs (real VDP). No explicit testing authorization, no CFAA/DMCA/ToS carve-out, no deadline → L3. (lowes.com security.txt bleeds through to an unrelated TIAA-CREF stub — not Lowe's.) Prior L1 undercounted.”

“No channel. HackerOne 'Team does not exist' (4 slugs). No Bugcrowd (404). No Synack (NXDOMAIN). security.txt behind F5 WAF 403 with no real file. Only a corporate privacy mailbox (not a researcher channel). Prior 'none' confirmed.”

“we consider this research conducted under this policy to be: Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy | Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls | Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis | Public disclosure may be allowed upon request, and only after granted written permission to do so from P&G”

“Only an empty HackerOne community stub (hackerone.com/sysco — GraphQL state=null, policy=null, external_program). security.txt path returns 200 but is SPA HTML (not a real file). No real HackerOne (syscocorp none); no Bugcrowd (404); no Synack (NXDOMAIN). Prior 'none' confirmed.”

“hackerone.com/americanexpress is an empty community-curated stub (GraphQL submission_state=null, policy='', external_program, scopes=[]). security.txt both paths 302→404 (Akamai). Amex security-center is consumer fraud guidance; sole email spoof@americanexpress.com is phishing, not vuln disclosure. Bugcrowd 404; Synack ECONNREFUSED. Prior L1 was a false channel → L0.”

“Responsible Disclosure powered by Synack. Submit via form. Safe harbor: '...Synack will not bring a private action against the reporter or refer the matter for public inquiry.' Disclosure only after fix. (Site 403s bots.)”

“No channel. Footer exposes only Privacy/Terms/Compliance, no security link. HackerOne /adm + /archer_daniels_midland 404 (no program/stub). Bugcrowd /engagements/adm 404. Synack ECONNREFUSED. security.txt both paths clean 404 (not WAF). Prior 'none' confirmed.”

“hackerone.com/metlife is an empty community stub — real-Chrome render verbatim: 'There are no known guidelines for reporting potential security vulnerabilities to this organization.' + 'not affiliated with MetLife... Claim this page', no Submit button (submission_state null). Bugcrowd 404. Synack ECONNREFUSED. security.txt 404/403. Own pages: only phish@metlife.com (phishing). Prior 'none' confirmed.”

“please let us know by emailing our Information Protection & Security team directly at Information.Protection@hcahealthcare.com | We ask that you work with us to diagnose and correct a vulnerability prior to publically disclosing it to ensure the safety and wellbeing of our patients and systems | We ask that you not perform vulnerability or similar testing on products that are actively in use for public safety reasons | In the event you share information with us, you agree that the information you submit will be considered non-proprietary and non-confidential, and that we may use such information in any manner, without restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for us.”

“Own VDP page. Testing authorized + CFAA: 'Lockheed Martin considers security research and vulnerability disclosure activities conducted consistent with this policy to be "authorized" conduct under the Computer Fraud and Abuse Act and other applicable computer use laws.' Non-pursuit: 'will not pursue civil or criminal action... for accidental or good faith violations of this policy'. CVD timeline: 'Keep information about any vulnerabilities... confidential between yourself and Lockheed Martin until we have had minimum 120 days to verify and resolve the issue.' L4 signals + published 120-day timeline → L5. Prior L1 was a major miss (HackerOne entry was only a community stub).”

“No external channel. security.txt 404 live + Wayback (Jun 2023–Nov 2024). HackerOne 4 slugs 404; /nyl is a generic non-NYL handle. Bugcrowd 4 variants 404. Synack ECONNREFUSED. Own Information Security page describes internal defensive program only, no report mechanism. Prior 'none' confirmed.”

“By responsibly submitting your findings to Capital One in accordance with these guidelines Capital One agrees not to pursue legal action against you. | Capital One reserves all legal rights in the event of noncompliance with these guidelines. | Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity. | Provide Capital One reasonable time to fix any reported issue. | Out of Scope Vulnerabilities Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program.”

“Allstate Identity Protection (Allstate-owned, formerly InfoArmor) security page: 'Report any potential security bug or vulnerability to SecurityDisclosure@infoarmor.com'. No scope, no testing authorization, no safe harbor, no timeline → contact-only L1. Main allstate.com has no PSIRT; security.txt times out; HackerOne empty stub; Bugcrowd 404; Synack ECONNREFUSED. Prior L1 confirmed (subsidiary channel).”

“HackerOne hackerone.com/caterpillar (submission_state=open). disclose.io GOLD-STANDARD safe harbor verbatim: 'We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service (TOS) and/or Acceptable Use Policies (AUP)... Will not bring legal action against you... including for bypassing technological measures we use to protect the applications in scope' (= testing authorized + CFAA + ToS/AUP + DMCA 1201). No published CVD deadline → L4. security.txt does NOT resolve at either path (403 Akamai) → securityTxt false.”

“Contact: https://www.ibm.com/trust/security-psirt | Contact: https://hackerone.com/ibm?type=team | Contact: mailto:psirt@us.ibm.com | PSIRT manages Product, Website, Secrets / Tokens Vulnerabilities”

“Product Cybersecurity Coordinated Vulnerability Disclosure Policy. Safe harbor: 'If you comply with this Policy... we will consider your research to be authorized, and not recommend or pursue legal action' + third-party authorization defense. Scope = product cybersecurity (medical devices, SaMD). No statutory carve-outs; timeframes at Lilly's discretion.”

“Real PUBLIC HackerOne VDP under slug 'msd' (Merck Sharp & Dohme), not 'merck' (404). GraphQL submission_state=open, public_mode, scopes *.merck.com + *.msd.com. Own page merck.com/responsible-vulnerability-disclosure-program/ directs to hackerone.com/msd. Safe harbor + explicit authorization: 'Any activities conducted in a manner the Company deems consistent with this policy will be considered authorized conduct and we will not initiate legal action against you...'. No CFAA/DMCA/ToS carve-out, no deadline → L3. Prior directory-L2 was wrong handle.”

“vulnerabilitydisclosure@nationwide.co.uk | You must not: Break any applicable law or regulations. Access unnecessary, excessive or significant amounts of data. Modify data in Nationwide's systems or services. | Submissions we won't respond to: Vulnerabilities relating to systems, websites or apps which are not owned or controlled by us. | We do not offer financial compensation or any other form of reward for submissions. | By emailing or providing a disclosure to us, you agree to our terms. | We will review all submissions that meet the requirements listed on this page.”

“Product Security Center with per-product-line PSIRT email reporting. Symantec PSIRT symantec.psirt@broadcom.com ('confirm receipt within three business days', ISO 29147); VMware PSIRT vmware.psirt@broadcom.com. Real VDP with submission method/process, no legal safe-harbor commitment. (hackerone.com/broadcom is a directory stub.)”

“security.txt at delta.com/security.txt (ROOT path, not /.well-known/ which 404s) → Contact: ResponsibleDisclosure@Delta.com, Policy: VDP guidelines page. NO safe harbor — 'Delta reserves all legal rights in the event of your noncompliance... to pursue legal action'; requires compliance with Delta's Terms of Use. 5-business-day ack.”

“No researcher channel. security.txt 404 both paths/hosts. HackerOne 'Team does not exist'. Bugcrowd /engagements/publix 404. Synack no DNS. corporate.publix.com is a SPA catch-all (every path incl. nonsense returns same 200 body, no VDP). Prior 'none' confirmed.”

“Real PUBLIC HackerOne VDP (GraphQL submission_state=open, public_mode). Promissory safe harbor: 'Pfizer will not initiate legal action against you for any security research activities... conducted in a manner consistent with this policy.' But testing NOT authorized: 'this policy does not... authorize or encourage any actions...' + 'Do not perform automated scanning or testing.' No CFAA/DMCA/ToS carve-out, no deadline → L3. Prior L1 undercounted.”

“No researcher channel. security.txt 404. HackerOne tdsynnex NOT_FOUND; legacy techdata/synnex are UNCLAIMED community stubs (GraphQL state=null, 'community-curated security page documents any known process...'). Bugcrowd engagements x3 404. Synack no DNS. Own /security + /responsible-disclosure 404. Prior 'none' confirmed.”

“No researcher channel. /.well-known/security.txt 404; /security.txt returns 200 but is the SPA HTML shell (not a real file). HackerOne 'conocophillips' is an UNCLAIMED community stub (GraphQL state=null). Bugcrowd 404. Synack no DNS. Own security page describes internal IT/OT program only (no external report path). Prior 'none' confirmed.”

“security.txt at ROOT /security.txt (200): 'Contact: mailto:security@galaxy.com / Expires: 2025-09-30' (expired but still served). NOT at /.well-known/ (404). No Policy line, no scope, no safe harbor. No dedicated security/disclosure page; no HackerOne/Bugcrowd/Synack. Bare contact → L1 confirmed.”

“Coordinated Vulnerability Disclosure portal at cvd.abbvie.com (web form). SCOPE LIMITED to AbbVie Medical Devices / SaMD, NOT the corporate abbvie.com web property. No safe harbor; submissions deemed non-confidential. 5-business-day ack. (hackerone.com/abbvie is private/invite-only.)”

“LIVE HackerOne VDP (GraphQL: state=public_mode, submission=open, scope *.prudential.com). Safe Harbor: 'Any activities conducted in a manner consistent with this Policy and within the Policy's scope will be considered authorized conduct by Prudential, including under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c).' 'reasonable amount of time to resolve' but no numeric deadline → L4. Prior 'none' was WRONG.”

“security.txt exists (live WAF-blocked 403; via Wayback raw): 'Contact: mailto:soc-sectxt@tjx.com / Expires: 2026-04-16'. Contact only — no scope, no policy, no safe harbor. hackerone.com/tjx is an empty community-curated stub (GraphQL state=null). L1 confirmed.”

“No public reporting channel. security.txt 404 both paths. No HackerOne team (GraphQL NOT_FOUND). No Bugcrowd (404). No Synack. Only IR contact + generic ToU 'notify of any breach' clause. Prior 'none' confirmed.”

“security.txt at /.well-known/ HTTP 200: 'Contact: https://bugcrowd.com/united-vdp / Contact: mailto:bugbounty@united.com / Policy: https://www.united.com/ual/en/us/fly/contact/vdppolicy.html'. Public Bugcrowd VDP (first airline VDP) under Bugcrowd standard disclosure terms (safe harbor for in-scope good-faith research). Triple statutory carve-out could not be confirmed (united.com policy page WAF-blocked) → L3, medium confidence.”

“Oracle PSIRT reporting (WAF-blocked; via Wayback): 'If you are not a customer or partner, please email secalert_us@oracle.com.' Disclosure policy restrictive: 'Oracle does not distribute exploit code... for vulnerabilities in our products.' No testing authorization, no safe harbor, no carve-out → contact/PSIRT-email only = L1. hackerone.com/oracle stub; bugcrowd.com/oracle is /h/ private portal (control-tested). Prior L1 confirmed.”

“The Cisco PSIRT is a dedicated, global team that receives, investigates, and publicly reports information about security vulnerabilities and issues related to Cisco products and services. | Cisco welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security. | Throughout the investigative process, the Cisco PSIRT strives to work collaboratively with the incident reporter to assess the nature of the vulnerability, gather required technical information, and determine appropriate remedial action. | The Cisco PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the Cisco PSIRT on the Cisco website through the appropriate coordinated disclosure. | The Cisco PSIRT aligns its practices with ISO/IEC 29147:2018, which are guidelines for disclosure of potential vulnerabilities established by the International Organization for Standardization.”

“HP PSRT report page (enable.hp.com/potentialsecurityvulnerability-report) — live web form, product-scoped dropdown, 'HP will acknowledge receipt of the submission within two business days and begin investigating.' No legal/safe-harbor language → real VDP, L2. HP's Bugcrowd bounty is PRIVATE/invite-only (/h/hp). Prior L1 upgraded to L2.”

“No verified public channel across corporate.charter.com, charter.com, spectrum.com. hackerone.com/chartercom is an empty community-curated stub (GraphQL state=null, no scopes). No security.txt anywhere. bugcrowd.com/spectrum is /h/ catch-all (control-tested). Prior 'none' confirmed.”

“Managed HackerOne VDP (no bounty). Scope *.aa.com + regional carriers. Safe harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party... we will take steps to make it known that your actions were conducted in compliance with this policy.' Authorizes testing + no legal action (L4). No statutory carve-outs named, no CVD deadline. Verified via real-Chrome render.”

“No channel on any surface. security.txt 404 (apex+www both paths). Only security-adjacent page is financial/ethics disclosures. HackerOne /tyson + /tysonfoods no real program. Bugcrowd 404. Synack refused. UpGuard scan confirms no security.txt/VDP. Prior 'none' confirmed.”

“security.txt at /.well-known/ + root (Canonical https://www.intel.com/security.txt; Policy -> vulnerability-handling-guidelines.html). PSIRT secure@intel.com + Intel Bug Bounty via Intigriti. Safe harbor in bug-bounty terms: 'Intel will not initiate a lawsuit or law enforcement investigation against you in response to your report.' No explicit CFAA/DMCA/ToS carve-out → L3.”

“No channel. Footer/nav have no security/disclosure link; Contact Us is operational/investor only. security.txt 404 both paths. HackerOne enterpriseproducts + enterprise-products 404 (no stub). Bugcrowd 404. Synack refused. Prior 'none' confirmed.”

“No channel. hackerone.com/ingrammicroinc is an empty community stub (real-Chrome: 'There are no known guidelines...' + 'not affiliated', no submit). Bugcrowd 404. Synack NXDOMAIN. No security.txt (WAF). Trust Centre FAQ directs to general support form, no security scope. Prior 'none' confirmed.”

“No VDP at gd.com. security.txt 301→404. Homepage/contact/sitemap no security refs. HackerOne 'generaldynamicssharedr' is empty stub (GraphQL all-null); generaldynamics/general-dynamics/gdit team does not exist. Bugcrowd 404. Synack DNS-fail. Business units publish only DFARS supplier incident reporting (not a researcher VDP). Prior 'none' confirmed.”

“Real HackerOne bug bounty. Safe harbor (promissory): 'If you have made a good faith effort to abide by these Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Bug Bounty Program.' But NO testing authorization ('Actions taken beyond this are not authorized'), NO CFAA/DMCA in the 29k-char rendered policy, and policy REQUIRES ToS compliance (no exemption), no disclosure deadline → L3 (HackerOne's platform Gold-Standard language NOT adopted into Uber's text). Prior L1 undercounted; not over-called to L4.”

“Contact: https://bugcrowd.com/engagements/usaa | Contact: mailto:disclosure@usaa.com | Policy: https://bugcrowd.com/usaa”

“TIAA security-center page → HackerOne embedded form rendering the full 'TIAA Vulnerability Disclosure Policy'. Safe harbor: 'we consider this research conducted under this policy to be: Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you...; Authorized concerning any relevant anti-circumvention laws...; Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP)... and we waive those restrictions on a limited basis.' Scope (*.tiaa.org, *.tiaa-cref.org, *.nuveen.com). No published public-disclosure deadline → L4. Prior 'none' was a major miss.”

“No researcher channel. HackerOne (liberty_mutual/libertymutual/liberty-mutual all 404). Bugcrowd 404. Synack NXDOMAIN. security.txt 404 (libertymutual.com) / Akamai 403 with no archived file (libertymutualgroup.com). Only 'Security Policy' page is customer-data protection, no researcher reporting. Prior 'none' confirmed.”

“Synack commits that, if we conclude, in our sole discretion, that a security vulnerability submitted through our Site complies with the Terms of Use, the applicable Scope and Rules of Engagement and the applicable Responsible Disclosure Guidelines, Synack will not bring a private action against you or refer the matter for public inquiry. | The following web applications are in scope: *.travelers.com | If you submit a valid vulnerability, you will be notified after a fix has been issued, and you will have the opportunity to be added to the Acknowledgments page and to disclose the vulnerability. | Adhere to these Guidelines and the Rules of Engagement and Scope, and do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of Travelers' information and systems.”

“No channel. HackerOne GraphQL 'bms' = Team does not exist (the 200 is an SPA shell); 3 other slugs 404. Bugcrowd 404. Synack NXDOMAIN. security.txt 404 (the Wayback 200 is an Incapsula WAF challenge page, not a real file). Only privacy (dpo@bms.com) + compliance Integrity Line. Prior 'none' confirmed.”

“Safe harbour for researchers is applied | with the exception of what is listed as explicitly out-of-scope you are welcome and encouraged to submit impactful findings on any asset you can attribute to The Coca-Cola Company or our brands! | Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)”

“Real first-party VDP (full text read from __NEXT_DATA__). Scope + submission form (nike.com/help/disclosure) + prohibited-methods list. Not a bounty. CVD timeline present: 'We're committed to patching in-scope vulnerabilities in 90 days or less' + 90-day confidentiality. Safe harbor only soft ('open dialogue... without fear of reprisal') — NO explicit non-pursuit, NO testing authorization, NO CFAA/DMCA/ToS carve-out → L2. (hackerone.com/nike is an empty unclaimed stub, does not count.) Prior L2 confirmed.”

“Self-hosted Responsible Disclosure Policy; report via responsible.disclosure@massmutual.com. Structured RDP rules + scope, but NO safe harbor and explicitly hostile: 'MassMutual expressly reserves all rights afforded to it, by law or in equity.' Prohibits public disclosure without consent.”

“First-party responsible-disclosure policy (bhp.com/responsible-disclosure). Scope + submit to cybersecurity@bhp.com, but RESTRICTS testing: 'Do not attempt to exploit any potential vulnerabilities'; 'use of scanners or automated tools' prohibited; 'BHP does not provide any form of compensation'. No safe harbor, no authorization, no carve-out, no deadline → L2. HackerOne bhp NOT_FOUND/bare; Bugcrowd 404; no valid security.txt.”

“Self-authored VDP (scope + email submit to vulnerability@cba.com.au + prohibited activities). Explicit no-safe-harbor: 'CommBank does not waive any rights or claims with respect to such activities.' No non-pursuit, no authorization, no carve-out, no timeline → L2. Real text/plain security.txt at /.well-known/ (Contact: vulnerability@cba.com.au). HackerOne commonwealthbank null stub.”

“Public Bugcrowd VDP (visibility_public, open, 37 vulns, Safe-harbor status 'full'). Brief Safe Harbor verbatim: 'Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy; Exempt from the Digital Millennium Copyright Act (DMCA)... circumvention of technology controls; Exempt from restrictions in our Terms & Conditions... we waive those restrictions on a limited basis.' Explicit testing authorization + all three carve-outs → L4. No numeric disclosure deadline → not L5. (Confirmed by two independent reads; the first under-graded L2 when the brief legalese was gated.)”

“Bugcrowd VDP (nationalaustraliabankog), real-Chrome confirmed safe-harbor tier = 'Partial safe harbor' (Bugcrowd partial = a limited goodwill non-pursuit commitment). Promissory non-pursuit, testing NOT explicitly authorized, no statutory carve-out, no disclosure deadline -> L3 (consistent with Telstra/ANZ partial-tier programs). HackerOne nab null stub.”

“Bugcrowd VDP (anz-vdp), real-Chrome confirmed safe-harbor tier = 'Partial safe harbor' (limited goodwill non-pursuit commitment). Promissory non-pursuit, testing NOT explicitly authorized, no statutory carve-out, no deadline -> L3 (consistent with Telstra/NAB partial-tier programs).”

“No researcher channel on the parent domain. /security-privacy is privacy-only; FY22 cyber page is internal practices only. security.txt both paths + www → HTML 404 (no Contact:). HackerOne wesfarmers null stub. Bugcrowd /engagements/wesfarmers 404. Subsidiaries (Bunnings/Kmart) excluded per parent scope → L0.”

“Real-Chrome (Interceptor) read of the Bugcrowd brief — full disclose.io safe harbor, verbatim: 'Safe Harbor: When conducting vulnerability research according to this policy, we consider this research to be: Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)... we will not initiate or support legal action...; Exempt from the Digital Millennium Copyright Act (DMCA)... circumvention of technology controls; Exempt from restrictions in our Terms & Conditions... we waive those restrictions on a limited basis.' Testing authorized + 3 carve-outs (CFAA/DMCA/ToS) -> L4. 'Does not allow disclosure' -> no L5. (Earlier WebFetch could not render this JS/auth-gated brief; confirmed live in real Chrome 2026-06-21.)”

“No channel. Governance/ethics page has only a general Integrity Helpline (not a VDP). HackerOne newmont empty shell. Bugcrowd /engagements/newmont 404. security.txt → 'Invalid key' WAF string (no Contact:) / 404. → L0.”

“No channel. HackerOne GraphQL goodman/goodmangroup NOT_FOUND. Bugcrowd /engagements/{goodman,...} 404 (bare /goodman = /h/ catch-all only). security.txt 403 WAF JS-challenge / Next.js 404; Wayback never archived. No VDP/PSIRT page. → L0.”

“hackerone.com/riotinto is an UNCLAIMED community/external directory stub, NOT a real program: GraphQL submission_state:null/policy:null, and the real-Chrome page renders verbatim 'There are no known guidelines for reporting potential security vulnerabilities' (HackerOne's text for an unconfigured directory listing). No own-site security.txt or policy either. No real researcher channel -> L0. (Confirmed real Chrome 2026-06-21.)”

“No researcher channel. security.txt 404 (fortescue.com + www; fmgl.com.au redirects to 404). HackerOne fortescue 404. Bugcrowd /engagements/fortescue(-metals) 404. Only reporting path is the 'Speak Up' EthicsPoint whistleblower hotline (scoped to misconduct, not security) → does not qualify. → L0.”

“Real active Bugcrowd VDP (brief changelog 2025-10-09). Authorizes scoped testing: 'Testing is only authorised on the targets listed as in scope.' safeHarborStatus={status:'partial', 'limited goodwill statement about not pursuing legal action'} — promissory non-pursuit present but limited, NO statute-specific carve-out (no Criminal Code/anti-circumvention/ToS), no disclosure deadline (disclosure prohibited) → L3. HackerOne telstra null stub. No valid security.txt. Telstra's own hub links to the Bugcrowd engagement.”

“No channel for CSL Limited (biotech, csl.com). security.txt 404 (apex+www). /disclosures is legal/financial; data-protection page is internal gov only. TRAP: hackerone.com/csl + csl-group.com VDP belong to a DIFFERENT company (CSL Group M2M/IoT), excluded. -> L0.”

“No channel. security.txt 404 (all paths). hackerone.com/woodsideenergy is an UNCLAIMED external directory stub (is_external_program:true, policy:null, claimed:false; GraphQL submission_state:null) -> does not count. Bugcrowd /engagements/woodside(-energy) 404. -> L0.”

“No channel. security.txt absent (HTML homepage / 404 at all paths; Wayback empty). hackerone.com/transurban 404. Bugcrowd /engagements/transurban + bare 404. /privacy lists only privacy + tolling emails. -> L0.”

“Company page: 'email vulnerabilitydisclosure@woolworths.com.au' — contact only, no policy/scope. Testing NOT authorized: 'does not condone... testing activities that violate laws and regulations.' No safe harbor. HackerOne woolworthslimited exists but empty policy/scope (not confirmable open). No security.txt. -> L1.”

“Company Responsible Disclosure Program. Non-pursuit: 'we will not take legal action against security researchers acting in good faith... provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program.' Submit to security@qbe.com. Testing NOT affirmatively authorized (only services 'to which you have authorised access'); no carve-out, no deadline -> L3. (read via Wayback raw + regional mirrors). HackerOne qbe empty stub.”

“No channel. security.txt redirects to HTML 404 (aristocrat.com + aristocratgaming.com 200-but-HTML). HackerOne GraphQL NOT_FOUND for 6 slug variants (the /aristocrat 200 is SPA shell). Bugcrowd /engagements/ 404 x4 (bare -> /h/ catch-all). Only Privacy/Disclosure/Whistleblower policies. -> L0.”

“Real-Chrome read of the Bugcrowd brief (coles-vdp-pro) — full disclose.io safe harbor renders verbatim: 'Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)... we will not initiate or support legal action...; Exempt from the Digital Millennium Copyright Act (DMCA)...; Exempt from restrictions in our Terms & Conditions... we waive those restrictions.' Testing authorized + 3 carve-outs -> L4 (the full-safe-harbor text renders only for full-tier engagements; verified program-specific, not boilerplate). 'Does not allow disclosure' -> no L5. (Earlier WebFetch/Wayback could not render the full section; confirmed in real Chrome 2026-06-21.)”

“No channel. No security/disclosure page; contact-us has only general emails. HackerOne 3 slugs empty/404. Bugcrowd /engagements/ 404. security.txt 404 (apex+www). -> L0.”

“No channel (brambles.com + chep.com). Only a 'Speak Up' ethics hotline + privacy breach notice. TRAP: brmbl.io 'Bramble' VDP is a DIFFERENT company (GitLab fork), excluded. HackerOne /brambles 404, /chep empty. Bugcrowd 404. security.txt 404 both domains. -> L0.”

“No channel. Contact page has only office phones, registry, whistleblower line. security.txt 404 both paths. HackerOne 2 slugs 404. Bugcrowd 3 slugs 404. -> L0.”

“No channel. security.txt clean 404 x3. HackerOne /amcor 404. Bugcrowd /engagements/amcor + bare 404. Governance page lists 26 policies, none a VDP. -> L0.”

“Valid text/plain security.txt → Bugcrowd santos-vdp (open). Authored safe harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate and legal action against you...' + 'Testing is only authorized on the targets listed as in scope.' No named statutory carve-out, no DMCA/ToS, no deadline -> L3. HackerOne santos empty placeholder.”

“No channel. security.txt 404 (apex+www, no Wayback capture). HackerOne /computershare 404. Bugcrowd /engagements/computershare + bare 404. Site describes internal/contracted pentesting only; the one security email is for account fraud. → L0.”

“Company-authored VDP (scope + email submit to vulnerability@suncorp.com.au). No safe harbor — prohibits automated tools and reserves rights: 'Suncorp reserves the right to act against individuals engaged in any of the activities listed above.' No carve-out, no timeline → L2. No security.txt; no HackerOne/Bugcrowd. (VDP on customer site suncorp.com.au, not corporate.)”

“HackerOne 'scentregroup' exists in directory but is NOT public/open: GraphQL submission_state:null/state:null/policy:null (control: a public program returns submission_state:'open'). All Wayback snapshots show only directory boilerplate, no authored policy. No public gradeable policy → null/L0. Bugcrowd 404; security.txt 404.”

“No channel. pilbaraminerals.com.au 301→pls.com. No security/responsible-disclosure page; governance lists 25 policies, none for vuln disclosure. Only security-adjacent contact is a privacy officer. security.txt 404 (both domains). HackerOne/Bugcrowd 404. → L0.”

“Only authored artifact was a security.txt (contact cybersecurity@iag.com.au, 'No paid bounties currently offered') — contact only, no scope/policy. BUT it EXPIRED 1 Jan 2025 and now 404s (live Akamai 403; Wayback 404 since 2025-05). HackerOne /iag is a reserved null stub. → L1 (on the historical contact; arguably 'removed' now). confidence medium (archived, not live).”

“Valid text/plain security.txt → Bugcrowd engagement originenergy-og1 (active, changelog 2026-03-30) + digitalsecurity@originenergy.com.au. Brief Safe Harbor verbatim: 'we consider this research to be: Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)... we will not initiate or support legal action...; Exempt from the Digital Millennium Copyright Act (DMCA)...; Exempt from restrictions in our Terms & Conditions... we waive those restrictions on a limited basis.' Testing authorized + 3 carve-outs → L4. No disclosure deadline → not L5. (Carve-out cites US CFAA/DMCA — Bugcrowd boilerplate — mapped to cfaaCarveout per instruction; page may footnote US-law references.)”

“No channel. HackerOne GraphQL NOT_FOUND (south32, south-32). Bugcrowd /engagements/south32 404. security.txt 404/empty (south32.net + south32.com); Wayback 0 snapshots. -> L0.”

“REA security page → public Bugcrowd bug bounty (rea-mbb-og, live, changelog 2026-06-01). Authored non-pursuit: 'Not pursue legal action related to your discovery and reporting of the vulnerability (in relation to any non-compliance... we reserve all of our legal rights).' Published timeline: confidentiality 'no less than 90 days'. NO explicit testing authorization, NO named statutory carve-out -> L3 (L5 needs L4 first). Carve-outs graded from REA's authored text only.”

“No channel. security.txt 404 HTML both paths. HackerOne GraphQL NOT_FOUND (6 slugs). Bugcrowd /engagements/ 404 x2. /contact has only IR/media/general; whistleblower only. -> L0.”

“No channel. security.txt 404 HTML across promed.com.au/promedicus.com/visage(imaging).com. HackerOne GraphQL NOT_FOUND (promedicus, pro-medicus, visage). Bugcrowd /engagements/ 404 x3. Privacy only. -> L0.”

“No channel. security.txt 404 HTML both paths; Wayback none. HackerOne GraphQL NOT_FOUND (4 slugs). Bugcrowd /engagements/ 404 x2. Contact/privacy only; subsidiaries (WesTrac/Coates/Boral/SWM) don't cover parent. -> L0.”

“No channel. security.txt 404 HTML both paths; Wayback 404 since 2024. HackerOne GraphQL NOT_FOUND (soulpatts, whsp, soulpattinson). Bugcrowd /engagements/ 404 x4. /privacy only (also checked new name WHSP Holdings). -> L0.”

“No channel. security.txt 404 HTML (jameshardie.com + .com.au, both paths). HackerOne 3 slugs 404. Bugcrowd /engagements/ 404 x2. Only ASX/SEC disclosure policy + ethics hotline. -> L0.”

“Valid text/plain security.txt (both paths) → open Bugcrowd VDP (qantas-vdp-ess, In progress since Nov 2025). Qantas-authored security.txt grants NO authorization — lists ONLY prohibitions: 'The following activities are strictly prohibited and are not authorised by Qantas Group under any circumstances...'. Only safe-harbor framing is Bugcrowd boilerplate (not credited). '21 days validation' is an SLA, not a deadline. HackerOne /qantas unaffiliated stub. -> L2.”

“No channel. security.txt 404 (bluescope.com HTML; bluescopesteel.com.au plain 404). HackerOne 4 slugs 404. Bugcrowd /engagements/ 404 x4. Only privacy + ethics emails. -> L0.”

“No channel. security.txt 404 Next.js HTML (4 URLs). HackerOne minres/mineralresources absent (bounty-targets-data 457 handles, no match). Bugcrowd 404 x2. Only 'MinRes Integrity Assist' whistleblower. -> L0.”

“No channel. security.txt 404 both paths; sitemap has no security URLs. HackerOne 'apa' = American Psychological Association (different co); 'apagroup' 404. Bugcrowd 404 x2. Only whistleblower hotline. -> L0.”

“No researcher channel (despite the 2022 mega-breach). security.txt 301→unreachable internal AEM host (text/html, no Contact); root 404. /security/ + /cybersecurity 404. HackerOne 2 slugs 404. Bugcrowd 404 x3. Own guidance points public to ScamWatch/ACSC (consumer fraud, not researcher VDP). -> L0.”

“Valid PGP-signed text/plain security.txt: 'Contact: mailto:csirt@wisetechglobal.com' + Expires 2026-11-27. No Policy field, no scope, no safe harbor. /information-security/ page has no reporting channel. Contact-only → L1.”

“Xero's OWN authored VDP policy: research 'authorized in accordance with the Computer Fraud and Abuse Act (CFAA)... we will not initiate or support legal action...'; 'exempt from the Digital Millennium Copyright Act (DMCA)...'; 'exempt from restrictions in our terms of use... we waive those restrictions on a limited basis.' Authorization + all 3 carve-outs → L4. No disclosure deadline → not L5. Submissions via Bugcrowd xero-vdp-pro (open).”

“Authored Responsible Disclosure Statement. Non-pursuit: 'Not pursue legal action related to your discovery and reporting of the vulnerability...'. Testing NOT authorized: 'does not give you permission to breach any laws...'. 90-day confidentiality timeline. No carve-out → L3 (L5 needs L4). Valid PGP security.txt.”

“No channel. No VDP page (privacy+T&C only). HackerOne GraphQL NOT_FOUND (3 slugs). Bugcrowd 404. security.txt redirect-loop / CF 403 (no real text/plain file); Wayback none. -> L0.”

“No channel. HackerOne GraphQL NOT_FOUND (4 slugs). Bugcrowd 404. security.txt → site HTML 404 both paths; Wayback none. Only Continuous Disclosure (financial) + privacy. -> L0.”

“No channel. HackerOne GraphQL NOT_FOUND (3 slugs). Bugcrowd 404 x3. security.txt 404 HTML both paths (apex+www); Wayback none. Privacy + contact only. -> L0.”

“No channel. security.txt 404 both paths. Security pages cover only physical/ISO/SOC/PCI compliance. HackerOne /nextdc 404. Bugcrowd 404. -> L0.”

“No channel. security.txt = Cloudflare JS challenge (403, no text/plain); Wayback none. HackerOne /orica bare page, absent from datasets. Bugcrowd 404. Only privacy/governance/whistleblower. -> L0.”

“carsales (CAR Group) own Responsible Disclosure page: scope + 'send an email to security@carsales.com.au'. No safe harbor — reserves legal rights: 'we will put the handbrake on, cease your participation... and reserve all our legal rights.' Prohibits ToS breach (not waive), no testing auth, no carve-out, no timeline -> L2. HackerOne carsales = null stub (does not count).”

“HackerOne lists a 'Stockland | VDP' title but GraphQL team(handle:stockland) returns submission_state:null/policy:null — a null stub that does NOT count (bare client-rendered shell). No own-site page; Bugcrowd 404; security.txt 403 WAF, no Wayback. No confirmed readable channel -> L0.”

“Only security page is scam/phishing reporting (hoax@asx.com.au) — fraud infrastructure, not a researcher channel. No VDP/scope/safe harbor. HackerOne GraphQL 'Team does not exist'. Bugcrowd 404 x3. security.txt HTML 404, no Wayback. -> L0.”

“Company-authored VDP (group + subsidiaries): 'To report a vulnerability, please fill out the below form.' Scope + submission + a coordination/5-day clause, but NO testing authorization and NO non-pursuit/CFAA/DMCA/ToS carve-out -> L2. Has a security.txt + a parallel Bugcrowd sonic-vdp-pro engagement.”

“'Security and privacy incident reporting': 'Email privacy@technologyonecorp.com or security@technology1.com to notify TechnologyOne of a privacy or security breach.' Customer breach channel only — no researcher VDP, no scope, no safe harbor -> L1. HackerOne NOT_FOUND; Bugcrowd 404; no security.txt.”

“No channel. HackerOne 'thegptgroup' is a null stub (GraphQL submission_state:null) — does not count; other slugs NOT_FOUND. Privacy only; security.txt 404 both paths; Bugcrowd 404 x3. -> L0.”

“No channel. security.txt 404 (greatland.com.au + greatlandgold.com). HackerOne NOT_FOUND (3 slugs). Bugcrowd 404 x3. Privacy only. -> L0.”

“No channel. Only /security page is ISO/NHS data-protection posture (no reporting). security.txt 404 across .com/.com.au/.co.uk. HackerOne NOT_FOUND. Bugcrowd 404. Only privacy officer email. -> L0.”

“No channel. security.txt clean 404. No security page; privacy only. HackerOne qube + qubeholdings NOT_FOUND (no stub). Bugcrowd 404 x3. (security@qube-rt.com is unrelated Qube Research & Technologies.) -> L0.”

“No channel. security.txt 404 (Shopify HTML / size-0). No VDP page. HackerOne NOT_FOUND. Bugcrowd 404 x3. The Good Guys (subsidiary) also none. -> L0.”

“Ampol's own Safe Harbour prose: 'we consider this research conducted under this policy to be: Authorised in view of any applicable anti-hacking law; Authorised in view of relevant anti-circumvention laws...'. Submit via embedded HackerOne form. testingAuthorized + anti-hacking (CFAA-equiv) + anti-circumvention (DMCA-equiv) = L4. No ToS waiver, no deadline. Confirmed by adversarial double-read.”

“Medical-device maker but no researcher VDP. security.txt 404 (3 paths). HackerOne GraphQL NOT_FOUND (3 slugs). Bugcrowd 404. Data Privacy page routes to customer service. -> L0.”

“Valid security.txt (200 text/plain): 'Contact: mailto:vulnerability@tpgtelecom.com.au / Expires: 2027-01-01'. Contact only, no policy → L1. HackerOne tpg_telecom unclaimed stub (does not count).”

“No channel. HackerOne NOT_FOUND (2 slugs). Bugcrowd 404. security.txt 307→SPA HTML; /security + /responsible-disclosure SPA soft-404s. -> L0.”

“No channel. HackerOne NOT_FOUND (2 slugs). Bugcrowd 404. security.txt 404 (no Wayback). 25+ governance policies, none security. -> L0.”

“No channel. hackerone.com/aurizon empty stub (submission_state:null, does not count). Bugcrowd 404 x2. security.txt 404 (aurizon.com.au); aurizon.com is a parked lander. -> L0.”

“No channel. security.txt 404 both paths (genuine). HackerOne /mirvac JS stub (no open program). Bugcrowd 404. Only privacy@mirvac.com. -> L0.”

“No channel. security.txt 404 HTML both paths; Wayback none. HackerOne 2 slugs 404. Bugcrowd 404 x2. Governance has no security terms. -> L0.”

“No live channel. A contact-only security.txt (cyberteam@challenger.com.au) existed 2023→late-2024 but is REMOVED (live 404 HTML; Wayback 404 since 2025-05). No disclosure page (consumer scam tips only). HackerOne /challenger no program. Bugcrowd 404. -> L0.”

“No channel. security.txt genuine 404 both paths; Wayback none. HackerOne 3 slugs 404. Bugcrowd 404 x3. Contact page has no security contact. -> L0.”

“No verifiable channel. ENTIRE domain returns 403 to all clients incl. real Chrome (hard geo/IP block) — on-site page can't be read but no independently verifiable channel exists. security.txt 403 HTML (no Wayback). HackerOne 4 slugs 404. Bugcrowd 404 x2. -> L0.”

“No channel. security.txt 404 (apex+www, both paths). HackerOne /dexus empty stub. Bugcrowd 404 x2. Privacy has only an internal breach plan, no reporting mechanism. -> L0.”

“No channel. security.txt 404 both paths (no Wayback). HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404 x2. /security + /responsible-disclosure 404. Privacy only. -> L0.”

“No channel. security.txt 404 (no Wayback). HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404 x2. Only an internal Information Security Policy (governance, not researcher VDP). -> L0.”

“Real published VDP: scope ('independent security researchers for any internet facing systems or SaaS') + submit to security@edg.com.au. NO safe harbor — reserves rights: 'In the event that a security vulnerability is not reported in accordance with this policy, we reserve all of our legal rights.' No testing auth, no carve-out, no deadline -> L2.”

“No channel. security.txt 404. HackerOne GraphQL NOT_FOUND. Bugcrowd 404. /security 200 but is homepage shell (no disclosure content); /responsible-disclosure 404. -> L0.”

“No channel. security.txt 404 (no Wayback). HackerOne GraphQL NOT_FOUND. Bugcrowd 404. /security + /responsible-disclosure + /vulnerability-disclosure-policy all 200 but are Incapsula WAF challenge shells (byte-identical to a nonsense control) — not real pages. -> L0.”

“No channel. security.txt 404. HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404. /security + /responsible-disclosure 404. Only internal info-security policy. -> L0.”

“Open Bugcrowd VDP (in_progress, open, safeHarborStatus 'declined'). Own page → Bugcrowd; 'does not compensate'. Only legal sentence is boilerplate ('comply... with the BugCrowd Standard Disclosure Terms') — no authored safe harbor/authorization/carve-out -> L2. HackerOne bendigobank empty stub (does not count).”

“Real responsible-disclosure policy (scope + security@agl.com.au). Narrow conditional auth only: 'We allow you to conduct vulnerability research and testing only on our services... to which you have authorised access.' Anti-protective: 'AGL does not condone any malicious or illegal behaviour...'. 72h ack SLA (not deadline). No safe harbor/carve-out -> L2. HackerOne aglenergy empty stub.”

“No channel. security.txt HTML 404 both paths + Wayback. HackerOne NOT_FOUND (2 slugs). Bugcrowd 404 x3. Only a privacy breach clause. -> L0.”

“No channel. security.txt 404 (apex+www; Wayback 404 since 2023). HackerOne NOT_FOUND (4 slugs). Bugcrowd none. Policies index (23 policies) has no security/VDP. -> L0.”

“No channel. security.txt HTML 404 both paths + Wayback. HackerOne NOT_FOUND (3 slugs). Bugcrowd 404 x3. No disclosure page. -> L0.”

“No channel. security.txt 404 (apex 301→www→404; no Wayback). HackerOne NOT_FOUND (3 slugs). Bugcrowd none. Only legal/privacy/governance + a 2026 ransomware writeup. -> L0.”

“No channel. HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404 x2. security.txt 404 both paths. Only privacy@telixpharma.com (privacy). -> L0.”

“Open public Bugcrowd bug-bounty (engagement in_progress, pay_for_success). SEEK page links it. Brief has scope+submit+rewards but NO safe harbor/non-pursuit/authorization/carve-out — in fact restrictive ('Customer instances are not to be accessed... will be considered a breach of our Terms and Conditions') -> L2. HackerOne NOT_FOUND.”

“No channel. HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404. security.txt 404 both paths. Only ESG mentions of internal controls. -> L0.”

“No channel. security.txt 404 both paths. HackerOne GraphQL NOT_FOUND. Bugcrowd 404 x2. Only privacy@metcash.com (privacy). -> L0.”

“No channel. security.txt 404 (thea2milkcompany.com); US sub a2milk.com/security.txt 200 but empty HTML SPA shell (no Contact, rejected). HackerOne NOT_FOUND (3 slugs). Bugcrowd 404. -> L0.”

“Authored VDP. Testing auth + non-pursuit: 'we will consider your research to be authorised and... Ansell will not recommend or pursue legal action related to your research.' Third-party defense + published CVD timeline: '90 calendar days... (software) or 120 calendar days... (hardware, firmware, and wireless).' BUT only ONE carve-out (non-pursuit/anti-hacking-equiv); NO DMCA/anti-circumvention, NO ToS waiver → fails L4 '≥2 carve-outs' gate despite the timeline -> L3 (re-verified directly). Valid text/plain security.txt.”

“Real text/plain security.txt: ASCII banner 'infosec ... at amp.com.au' + encryption pubkey. Contact only, no policy/scope/safe harbor -> L1. HackerOne 'ampau' is a directory stub (submission_state:null). No Bugcrowd.”

“No channel. HackerOne 'boq' stub (GraphQL submission_state:null); bankofqueensland not found. security.txt 404 both paths (boq.com.au + boqgroup.com). Bugcrowd 404. /responsible-disclosure real 404. Own pages = customer fraud guidance only. -> L0.”

“Real text/plain security.txt (also on dynonobel.com + parent incitecpivot.com.au): 'Contact: mailto:itsecurity@Incitech.com.au / Expires 2025-12-31'. Contact only, no policy -> L1. CAVEAT: EXPIRED (2025-12-31) and contact host Incitech.com.au is NXDOMAIN — email currently unreachable, but a valid Contact line is served live. No HackerOne/Bugcrowd.”

“Own coordinated-disclosure policy: 'we support coordinated vulnerability disclosure... We welcome vulnerability testing... please send an email to securityreports@fphcare.com.' 10-business-day response SLA (not a deadline). NO safe harbor/non-pursuit, NO statutory carve-out, NO deadline. 'Welcome testing' is encouragement, not authorization-with-carve-outs -> L2. No security.txt, no platform program.”

“Own 'Responsible Reporting' policy: scope + 'report it as soon as possible to securityreporting@lnw.com.' NO safe harbor/non-pursuit; RESTRICTS the researcher ('Please DO NOT... Take any action that might violate any applicable laws or agreements'), no testing authorization, no carve-out, no deadline -> L2. No security.txt, no platform program.”

“Real OPEN HackerOne program (GraphQL submission_state:'open', state:'public_mode') with authored Safe Harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you...'. Promissory non-pursuit + authorization, but NO named statutory carve-outs (no CFAA/DMCA/ToS; <2 for L4), resolution case-by-case (no deadline) -> L3. Own resmed.com/security + ap.resmed.com link to it; no security.txt.”

“No channel. security.txt 301→www→404 both paths. HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404 x2. Only general + Ethics Line (conduct, not security). -> L0.”

“No channel. security.txt clean 404 both paths. HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404 x2. Only Privacy Officer email. All 'Sigma' VDP hits were DIFFERENT companies (Sigma360/Computing/Aldrich). -> L0.”

“No channel. security.txt FAKE-200: serves Next.js HTML SPA shell (not text/plain, no Contact:) — HTML-masquerade trap. HackerOne no team. Bugcrowd none. Only general/investor contacts. -> L0.”

“Real public Cash App / Block Bugcrowd bounty (since Jun 2020; P1 $5k-$18k; 53 vulns). Authored policy: 'we promise not to bring legal action against researchers who: Share with us the full details... Do not disclose the issue to others until we've had a reasonable time to address it and disclosure has been approved by us.' Non-pursuit + authorized testing, but ZERO CFAA/DMCA/ToS carve-outs in authored prose (keyword-searched), and disclosure is gated (no CVD timeline) → fails two-of-three L4 → L3. cash.app security.txt valid (text/plain → Bugcrowd). block.xyz itself no security.txt. (Block migrated off HackerOne — square NOT_FOUND.)”

“No channel. HackerOne astrazeneca submission_state:null (unclaimed stub; SEO title doesn't make it real). Bugcrowd 404. security.txt 301→HTML 404 both paths. Only a privacy DPO email. -> L0.”

“Adversarial real-Chrome (Interceptor) re-read 2026-06-21: Bugcrowd brief hsbc-vdp-pro tier badge = 'Partial safe harbor' (Bugcrowd partial tier = limited goodwill non-pursuit, testing not fully authorized) -> L3, consistent with ASX NAB/ANZ. The full 'Safe Harbor: CFAA/DMCA/ToS' prose renders IDENTICALLY on full-tier (NatWest) and partial-tier (HSBC) engagements, so it is Bugcrowd's standard template (platform boilerplate), not HSBC's per-program commitment; the tier badge is the real signal. Prior L4 was an over-grade off the boilerplate block. (HSBC VDP also states a strict non-disclosure policy.)”

“Real VDP (scope + submit to cert@shell.com). No safe harbor — warns 'Certain hacking activities constitute criminal actions'; testing NOT authorized ('not intended to encourage hacking attempts') -> L2. HackerOne shell null stub. No security.txt.”

“No channel. HackerOne riotinto submission_state:null (unclaimed community stub — does not count). Bugcrowd 404. security.txt Imperva 403 HTML (Wayback empty). Own cyber page is internal governance only. -> L0. (Consistent with ASX audit.)”

“Company VDP PDF (aerospace group, references NCSC UK). Submit to responsible.disclosure@rolls-royce.com. Non-pursuit: 'Rolls-Royce affirms that it will not pursue legal action against you... where you have acted in good faith. Rolls-Royce reserves all legal rights in the event of noncompliance.' Testing NOT authorized ('does not give you permission to act in any manner that is inconsistent with the law'); no carve-out, no deadline -> L3. HackerOne rollsroyce null stub.”

“Adversarial real-Chrome (Interceptor) re-read 2026-06-21 RESOLVES the JS-gated FLAG: Bugcrowd engagement unilever-vdp tier badge = 'Safe harbor' (FULL tier, same render as NatWest) with the full disclose.io block: Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)...will not initiate or support legal action; Exempt from the Digital Millennium Copyright Act (DMCA); Exempt from restrictions in our Terms & Conditions. Testing authorized + 3 carve-outs -> L4. No published disclosure deadline -> not L5. The WebFetch subagent saw only the unrendered Bugcrowd shell and under-graded L2 (lesson #1).”

“No channel. security.txt 403 WAF HTML both paths (Wayback 404 throughout). HackerOne NOT_FOUND (3 slugs). Bugcrowd 404 x2. No VDP page. -> L0.”

“Real text/plain security.txt: 'Contact: https://gsk.com/speakup'. But /speakup is a generic Case IQ ethics/whistleblower hotline (no scope/process/safe harbor) -> contact only, no VDP -> L1. HackerOne gsk null stub.”

“Synack ResponsibleDisclosure.com program with published scope + promissory non-pursuit (ToS): 'Synack will not bring a private action against you or refer the matter for public inquiry.' NO testing authorization, NO CMA/CFAA/DMCA/ToS carve-out -> L3. No security.txt. HackerOne bppress null stub, bp NOT_FOUND.”

“Real security.txt → Synack ResponsibleDisclosure program (scope + ROE) + internetsecurity@barclays.com. Promissory non-pursuit (ToS): 'Synack will not bring a private action against you or refer the matter for public inquiry.' NO testing authorization, NO carve-out -> L3. HackerOne barclays null stub.”

“Published VDP PDF (Mar 2024). Non-pursuit: 'LBG affirms that it will not seek prosecution of any security researcher who reports any security vulnerability... where the researcher has acted in good faith.' NOT L4: CMA 1990 cited as a CONSTRAINT not waived; testing NOT authorized ('does not provide... any form of indemnity'; 'unauthenticated initiative') -> L3. No real security.txt. HackerOne lloyds_bank/lloydsbankinggroup null stubs.”

“No researcher VDP. HackerOne nationalgriduk hollow stub (submission_state:null). UK 'Security and risks' page has no disclosure channel; US site offers only a customer phishing email (not a researcher VDP). security.txt 404/302-to-404. -> L0.”

“Own VDP page: scope (*.baesystems.com) + submit to vulnerability@baesystems.com. No safe harbor — only a constraint: 'Do not break any laws or regulations.' No non-pursuit, no testing auth, no carve-out, no deadline -> L2. HackerOne stubs excluded (baesystemsinc/bae-systems-old null). security.txt fake-200 HTML.”

“Bugcrowd NatWest VDP (full safe-harbor tier, read in real Chrome): 'we consider this research to be: Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)... we will not initiate or support legal action...; Exempt from the Digital Millennium Copyright Act (DMCA)...; Exempt from restrictions in our Terms & Conditions... we waive those restrictions.' Testing authorized + 3 carve-outs -> L4. 'Does not allow disclosure' -> not L5. Valid text/plain security.txt → the engagement. HackerOne natwest NOT_FOUND; rbsgroup null stub.”

“Security Centre: 'To report any security issues... please contact security@sc.com.' Contact only — no policy/scope/safe-harbor/researcher language -> L1. HackerOne all NOT_FOUND. No security.txt. No platform program.”

“No channel. security.txt 404 HTML both paths. HackerOne GraphQL NOT_FOUND (3 slugs). Bugcrowd 404 x2. Synack no DNS. No VDP page. -> L0.”

“Own security.txt (root path, text/plain): 'Contact: mailto:security@relx.com' (EXPIRED 2024-01-01; /.well-known/ 404). Contact only, no policy/scope/safe harbor -> L1. Subsidiary LexisNexis has its own valid contact-only file. HackerOne relx NOT_FOUND; lexisnexis null stub.”

“No channel for Compass Group plc. HackerOne compassgroupuk is an unclaimed stub (submission_state:null). MISATTRIBUTION GUARD: compass-bbp (open, Gold Standard SH) is Compass Inc (US real-estate) — excluded. security.txt 403/404 HTML + Wayback 404. Bugcrowd 404. Synack no DNS. -> L0.”

“Synack ResponsibleDisclosure.com portal (scope + ROE). Promissory non-pursuit (ToS): 'Synack will not bring a private action against you or refer the matter for public inquiry.' No testing authorization, no carve-out -> L3. HackerOne lsegplc null stub.”

“No channel. HackerOne antofagasta null stub. security.txt fail/500/404 (multiple hosts). Bugcrowd 404. Synack no resolve. Only 'Tu Voz' whistleblower. -> L0.”

“No channel. security.txt clean 404 x4. HackerOne diageo 404 (no team/stub). Bugcrowd 404 x2. Synack ECONNREFUSED. Only SpeakUp/EthicsPoint. -> L0.”

“Own VDP (webform). Scope: 'Any platform or service under Glencore direct ownership or indirectly controlled...'. Non-pursuit (no testing auth): 'We will not pursue legal action / demands (unless deliberate non-compliance...).' No CMA/CFAA/DMCA/ToS carve-out, no deadline -> L3. Valid text/plain security.txt. HackerOne glencorexstrata null stub.”

“No CCEP channel. security.txt 403 Cloudflare HTML (Wayback all 404). HackerOne 3 slugs 404. Bugcrowd 404. Synack refused. Only SpeakUp ethics. (TCCC / Coca-Cola HBC are DIFFERENT entities with their own programs.) -> L0.”

“No channel. HackerOne GraphQL NOT_FOUND (+ directory search empty). Bugcrowd 404 x2. security.txt 403 Akamai HTML (Wayback all 404). Synack NXDOMAIN. Only privacy/consumer forms. -> L0.”

“No channel. HackerOne reckitt NOT_FOUND; legacy 'discoverrb' is an unclaimed stub (submission_state:null) — does not count. security.txt 404 HTML both paths (Wayback empty). Bugcrowd 404. Synack no DNS. Cyber policy page has no reporting process. -> L0.”

“No channel. HackerOne 'sse' is an unclaimed stub (submission_state:null, policy:null, empty external_program.about) — does not count. security.txt 404 both paths (Wayback empty). Bugcrowd 404. Synack no DNS. No own VDP. -> L0.”

“Live HackerOne program (GraphQL submission_state:'open', full policy read). Safe Harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you...'. Authorized testing + non-pursuit, but NO CMA/CFAA/DMCA/ToS carve-out (0 of 3) -> L3. No security.txt.”

“UK Prudential plc has NO channel. HackerOne 'prudential' is an unclaimed stub (submission_state:null); 'prudentialplc' NOT_FOUND. security.txt 404 HTML. Bugcrowd 404. NAME-COLLISION GUARD: the open 'prudential-financial' HackerOne program is the SEPARATE US Prudential Financial Inc. (cites Cal. Penal Code 502(c)/OFAC) — excluded. -> L0.”

“Live HackerOne program (GraphQL submission_state:'open', full policy read). Real VDP (scope + reporting requirements) but NO safe-harbor section: no 'authorised conduct', no non-pursuit, no testing authorization — to the contrary 'no permission to test has been granted by Vodafone' (third-party assets). Scope + submit, no legal commitment -> L2.”

“Live HackerOne program (GraphQL submission_state:'open', full policy read). Safe Harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you...'. Authorized testing + non-pursuit, but the Legal section treats ToS + applicable law as CONSTRAINTS and disclaims authorization beyond the policy — 0 of 3 carve-outs -> L3.”

“No channel. security.txt 404 (ashtead-group.com + Sunbelt brand domains). HackerOne NOT_FOUND (5 slugs). Bugcrowd none. Synack none. Sunbelt contact has only a privacy email. -> L0.”

“No channel. security.txt 301→www→404 both paths. HackerOne NOT_FOUND (3i, 3i-group). Bugcrowd none. Synack none. Only generic annual-report cyber language. -> L0.”

“No channel. security.txt 404 (imperialbrandsplc.com + imperialbrands.com). HackerOne NOT_FOUND (3 slugs). Bugcrowd none. Synack none. Only an ESG 'Speaking Up' whistleblower channel. -> L0.”

“No channel. security.txt 404 (fresnilloplc.com + fresnillo.com.mx). HackerOne fresnillo NOT_FOUND; parent 'penoles' null stub (excluded). Bugcrowd none. Acknowledged a cyberattack but publishes no reporting channel. -> L0.”

“Own policy + valid text/plain security.txt. Non-pursuit (L3): 'BT will not take civil action against or seek prosecution of security researchers who report any security vulnerability... where the researcher has acted in good faith and in accordance with this disclosure policy.' Testing NOT authorized; CMA cited as a CONSTRAINT ('does not give you permission to act in any manner inconsistent with the law... The Computer Misuse Act 1990'). Published 90-day timeline BUT no L4 carve-outs -> L3 (timeline alone can't lift it). HackerOne bt/btuk null stubs.”

“Real VDP (read in real Chrome via Interceptor): scope + 'Email your findings to: responsibledisclosure@ihg.com.' Testing RESTRICTED: 'Do not engage in social engineering, penetration testing, denial of service, or physical security testing.' No safe harbor/non-pursuit/carve-out/deadline -> L2. (Policy on operational ihg.com, not ihgplc.com.) HackerOne ihg null stub.”

“No real channel found. HackerOne handle 'avivaplc' is an unclaimed community-curated directory STUB: GraphQL returns submission_state:null, state:null, policy:null (only an external_program ref name 'Aviva plc', which does not make a stub real). security.txt at both /.well-known/security.txt and /security.txt returns Aviva's 'Oops... something went wrong' HTML error page (not text/plain, no Contact: line); Wayback raw confirms same. No /responsible-disclosure or /security page (both 404). No Bugcrowd engagement (404), no Synack channel (DNS does not resolve).”

“No real channel found. No HackerOne team ('next' returns 'Team does not exist'). security.txt 404 at both /.well-known/security.txt and /security.txt on nextplc.co.uk (Wayback also 404). No /responsible-disclosure page (404). No Bugcrowd engagement (404), no Synack channel (no DNS). The only 'Responsible Disclosure Policy' in search results belongs to nextapp.co (a different, unrelated company), not Next plc the UK retailer.”

“No real channel found. HackerOne handle 'legalandgeneral' is an unclaimed community-curated directory STUB: GraphQL returns submission_state:null, state:null, policy:null, about:'' (only an external_program ref 'Legal & General', which does not make a stub real). The live page https://www.legalandgeneral.com/security/ (HTTP 200) is a CUSTOMER fraud/phishing-awareness page, not a VDP: its only contact is 'If you are concerned you may have already disclosed personal or security information please call us as soon as possible on 0800 096 6959' (a customer fraud line, not a researcher reporting channel). security.txt 404 (SPA 404 HTML, not text/plain) at both paths. No Bugcrowd engagement (404), no Synack channel (no DNS).”

“No real channel found. No HackerOne team ('halma' returns 'Team does not exist'). security.txt at both /.well-known/security.txt and /security.txt returns Halma's 'Page not found - Halma plc' HTML (not text/plain, no Contact: line). The corporate policies-and-procedures page lists sustainability/ethics policies (Code of Conduct, anti-bribery, data privacy) but no vulnerability disclosure policy or security reporting contact. No /responsible-disclosure page (404). No Bugcrowd engagement (404), no Synack channel (no DNS).”

“No real channel found. HackerOne handle 'associatedbritishfoods' is an unclaimed community-curated directory STUB: GraphQL returns submission_state:null, state:null, policy:null (only an external_program ref 'Associated British Foods plc', which does not make a stub real). 'abf' is not a team ('Team does not exist'). abf.co.uk is WAF-protected (Incapsula): /.well-known/security.txt and /security.txt return HTTP 403 'Access Denied'; Wayback shows a generic '404 - ABF' page (no security.txt ever archived). No Bugcrowd engagement (404), no Synack channel (no DNS).”

“No real channel found. No HackerOne team ('airtel'/'airtel-africa' do not exist). Site is Incapsula-walled: security.txt at both paths returns a 404 Not Found (Incapsula challenge HTML, not text/plain), Wayback raw same. The /data-security page is a corporate sustainability page about CIA-triad controls and '5,526 external penetration tests' - it contains no vulnerability-reporting mechanism (grep for vulnerab/disclos/security@/researcher all NOT FOUND). The /online-security page is a consumer fraud/scam-awareness page with no researcher reporting channel, safe harbor, or contact. No Bugcrowd engagement (404), no Synack channel (no DNS). (The securitybugs@airtel.com address found in search belongs to Airtel India, a separate entity, not Airtel Africa.)”

“HackerOne hackerone.com/cocacolahbc is an unclaimed community-curated STUB: GraphQL returns submission_state:null, state:null, policy:null, empty about, zero structured_scope_versions, empty external_program (trap a) - does NOT count. The real Coca-Cola VDP (Bugcrowd/Intigriti/HackerOne cocacolaco) belongs to The Coca-Cola Company, a SEPARATE legal entity from Coca-Cola HBC (the bottler). HBC's own 'Trust Safety & Security' page (gr.coca-colahellenic.com) is an HR/culture page with no vulnerability/disclosure/security.txt/bug-bounty content. /.well-known/security.txt and /security.txt both return HTTP 403 Access Denied (no file).”

“No vulnerability-disclosure channel found on any surface. HackerOne 'informa' does not exist (GraphQL NOT_FOUND). Bugcrowd engagements/informa 404. Synack informa.responsibledisclosure.com does not resolve. /.well-known/security.txt and /security.txt both HTTP 404; Wayback raw archive is a 404 capture (no real file). Only a privacy center (privacy.informa.com) exists, not a security vulnerability policy. (Informa disclosed an Oracle EBS breach in 2025 but publishes no VDP.)”

“No security vulnerability-disclosure channel. HackerOne 'rentokil'/'rentokil-initial' do not exist (GraphQL NOT_FOUND). Bugcrowd engagements/rentokil + rentokil-initial 404. Synack rentokil-initial.responsibledisclosure.com does not resolve. /.well-known/security.txt returns the company's HTML 'Page not found' (404), not a text/plain file. Only a data-protection/privacy contact exists - dpo@rentokil-initial.com for privacy questions/complaints and personal-data-breach reporting - which is a DPO/privacy channel, not a security-researcher vulnerability disclosure policy.”

“No vulnerability-disclosure channel. /security.txt returns HTTP 200 but is the Next.js SPA homepage shell (text/html, redirected to scottishmortgage.com/en/rest-of-world/existing-shareholders) with NO Contact: line - not a real security.txt (trap c). /.well-known/security.txt behaves identically. No HackerOne 'scottish-mortgage' (NOT_FOUND), no Bugcrowd engagement, no Synack (scottishmortgageit.responsibledisclosure.com does not resolve). The fund is managed by Baillie Gifford; no security vulnerability policy published on either domain.”

“No vulnerability-disclosure channel on any surface. HackerOne 'segro' does not exist (GraphQL NOT_FOUND). Bugcrowd engagements/segro 404. Synack segro.responsibledisclosure.com does not resolve. /.well-known/security.txt and /security.txt both HTTP 404; Wayback raw is a 404 capture. Web search surfaced only 'Responsible SEGRO' ESG/annual reports, no security vulnerability or responsible-disclosure policy.”

“No security vulnerability-disclosure channel. HackerOne 'endeavour'/'endeavourmining' do not exist (GraphQL NOT_FOUND). Bugcrowd engagements/endeavour + endeavour-mining 404. Synack endeavourmining.responsibledisclosure.com does not resolve. /.well-known/security.txt and /security.txt return the company's HTML 'Page Not Found' (404), not a text/plain file. Only an 'Endeavour Speak Up' 24/7 whistleblower/ethics line exists (fraud/unethical/illegal conduct under the Code of Business Conduct) - not a security-researcher vulnerability channel. NOTE: the 'Endeavour Group' VDP found in search is a different (Australian retail) company, not Endeavour Mining.”

“No vulnerability-reporting channel found across all reachable channels. HackerOne GraphQL: handles 'admiral'/'admiralgroup' return NOT_FOUND; 'getadmiral' is an unrelated adtech firm ('Admiral provides publishers with a suite of products aimed at engaging and recovering adblock users') AND a stub (submission_state:null) -> not Admiral Group, disregarded. Bugcrowd /engagements/admiral and /admiral-group both 404. No admiral.responsibledisclosure.com (Synack) host. admiral.com/.well-known/security.txt = HTTP 404. Wayback availability API returns empty archived_snapshots for admiralgroup.co.uk/.well-known/security.txt AND admiral.com/.well-known/security.txt (never archived). Web search surfaces only unrelated 'Admiral' entities (ADMIRAL Technologies AG, Austria; GetAdmiral adtech). The admiralgroup.co.uk corporate site WAF rejects all programmatic clients (curl HTTP/2 INTERNAL_ERROR / 30s timeout; WebFetch 60s timeout) so its own-page could not be read directly, but every independently verifiable channel is negative.”

“No vulnerability-reporting channel. security.txt at /.well-known/security.txt initially returned HTTP 200 but text/html that is the diplomaplc.com homepage SPA shell (redirected to www.diplomaplc.com/) -- NOT a real security.txt (no Contact: line, not text/plain); root /security.txt returns HTTP 404. HackerOne GraphQL handle 'diploma' = NOT_FOUND. Bugcrowd /engagements/diploma = 404. No diploma.responsibledisclosure.com (Synack). Web search of diplomaplc.com finds only privacy policy, policies/standards, and legal terms pages; security reporting routes to general enquiries@diplomaplc.com only, with no published VDP or security contact.”

“No vulnerability-reporting channel. security.txt at both /.well-known/security.txt and root /security.txt return HTTP 404 (text/html 'The resource you are looking for has been removed...'). HackerOne GraphQL handles 'smith-nephew' and 'smithnephew' both = NOT_FOUND. Bugcrowd /engagements/smith-nephew and /smithnephew = 404. No smith-nephew.responsibledisclosure.com (Synack). Web search and PSIRT query find no responsible-disclosure or product-security-reporting policy; only a generic Resources page, Code of Conduct breach reporting, and customer/adverse-event contacts -- none of which is a security vulnerability disclosure channel.”

“No vulnerability-reporting channel. security.txt at /.well-known/security.txt returns HTTP 403 Cloudflare challenge ('Attention Required!'), root /security.txt returns HTTP 404 (homepage HTML). Wayback availability API returns empty archived_snapshots for both unitedutilities.com and www.unitedutilities.com /.well-known/security.txt -- never archived, so the 403 is a WAF block on a path that does not exist as a real file. HackerOne GraphQL handle 'unitedutilities' returns submission_state:null / state:null / policy:null = an UNCLAIMED community-curated STUB, not a real program (does NOT count). 'united-utilities' = NOT_FOUND. Bugcrowd /engagements/united-utilities + /unitedutilities = 404. No unitedutilities.responsibledisclosure.com (Synack). Web search finds only a data-protection/GDPR page, no responsible-disclosure or security-reporting policy.”

“Real text/plain security.txt confirmed at https://schroders.com/security.txt (HTTP 200, content-type text/plain) and via canonical https://schroders.com/.well-known/security.txt. Full verbatim contents: 'Contact: mailto:security@schroders.com / Preferred-Languages: en / Canonical: https://schroders.com/.well-known/security.txt / Hiring: https://schroders.referrals.selectminds.com/careers/'. Contact only -- no Policy: line, no scope, no submission instructions, no safe-harbor / authorization / non-pursuit language. L1 (contact only). NOTE: web search surfaces hackerone.com/schroders as a 'program' but HackerOne GraphQL shows submission_state:null / state:null / policy:null = an unclaimed community-curated STUB (does NOT count); the security.txt is the only real channel.”

“No vulnerability-reporting channel. security.txt at both /.well-known/security.txt and root /security.txt return HTTP 404 (EpiServer 'Resource Not Found' text/html page). HackerOne GraphQL handle 'intertek' = NOT_FOUND. Bugcrowd /engagements/intertek = 404. No intertek.responsibledisclosure.com (Synack). Web search finds only Code of Ethics, Compliance & Corporate Governance, and a Compliance Hotline (confidential misconduct reporting) -- none is a security vulnerability disclosure channel; no security.txt, no VDP, no PSIRT.”

“No disclosure channel found. HackerOne hackerone.com/severntrent is an unclaimed community-curated STUB (GraphQL: submission_state:null, state:null, policy:null). No Bugcrowd /engagements/severn-trent or /severntrent (404). No Synack (severntrent.responsibledisclosure.com does not resolve, HTTP 000). security.txt at /.well-known/ and root returns HTTP 403 serving an HTML WAF/error page (title '500', digitalData type '500-error-page', 3257 bytes text/html) — NOT a real text/plain security.txt; no Wayback snapshot ever archived (availability API: archived_snapshots:{}). No own security/responsible-disclosure page found.”

“No disclosure channel found. HackerOne hackerone.com/bunzl is an unclaimed community-curated STUB (GraphQL: submission_state:null, state:null, policy:null). No Bugcrowd /engagements/bunzl (404). No Synack (bunzl.responsibledisclosure.com does not resolve, HTTP 000). security.txt at www.bunzl.com/.well-known/ and root both return HTTP 404 (empty body); no Wayback snapshot (availability API: archived_snapshots:{}). No own security/responsible-disclosure page found; annual reports surfaced but no VDP.”

“No disclosure channel found. No HackerOne team exists (handles mandg / mng-prudential return 'Team does not exist'). No Bugcrowd /engagements/mandg or /mng (404). No Synack (mandg/mandgplc.responsibledisclosure.com do not resolve, HTTP 000). security.txt at /.well-known/ and root returns HTTP 404 (33,974-byte HTML 404 page). The only security-related page, mandg.com/footer/security-and-financial-crime, is consumer fraud/phishing advice only — quote: 'We're dedicated to protecting the safety and integrity of your personal information and investment with robust security processes' — with NO vulnerability-reporting channel, researcher contact, or coordinated-disclosure guidance.”

“No disclosure channel found. HackerOne hackerone.com/standardlife is an unclaimed community-curated STUB (GraphQL: submission_state:null, state:null, policy:null). No Bugcrowd /engagements/standard-life or /standardlife (404). No Synack (standardlife/standardlifeplc.responsibledisclosure.com do not resolve, HTTP 000). security.txt /.well-known/ returns HTTP 404; root /security.txt returns HTTP 200 but is an HTML error page (text/html, 74,231 bytes, '<title>Error page | Standard Life plc</title>') — the trap-(c) SPA/error shell, NOT a real text/plain security.txt. No own VDP page (governance pages describe internal ISO 27001 pen-testing only). Note: standard.com 'Responsible Disclosure Program' belongs to a different company (The Standard / US insurer), not Standard Life plc.”

“Real, company-authored Bugcrowd-hosted VDP. centrica.com/site-tools/security/ embeds a Bugcrowd program widget (script src https://bugcrowd.com/633e3991-d6b9-48bb-b5ad-c4f47d0b8c87/external/script + data-bugcrowd-program .../external/report); the linked external/report page (HTTP 200) renders Centrica's 'Vulnerability Disclosure Policy' / 'Vulnerability Disclosure Philosophy' with scope 'This policy applies to any digital assets owned, operated, or maintained by Centrica, including public facing websites' and 'vulnerabilities across any asset owned, controlled, or operated by Centrica', a 'We Ask of Researchers' section, and a Bugcrowd submission form. NO safe-harbor / authorization-to-test / 'we will not pursue legal action' / Computer Misuse Act / good-faith carve-out anywhere in the policy, and no coordinated-disclosure deadline (only 'providing sufficient time and information for our team to validate and address potential issues'). Real VDP with scope+submit but zero legal commitment = L2. A 2023 archived /.well-known/security.txt (text/plain, 204 bytes) confirms the channel: 'Please report any security vulnerabilities by following our responsible disclosure policy which can be found here: https://www.centrica.com/site-tools/security/' (live security.txt now 404).”

“No disclosure channel found. No HackerOne team exists (handles smiths / smiths-group / smithsgroup return 'Team does not exist'). No Bugcrowd /engagements/smiths or /smiths-group (404). No Synack (smiths/smithsgroup.responsibledisclosure.com do not resolve, HTTP 000). security.txt /.well-known/ and root both return HTTP 404 (71,863-byte HTML 404 page). No own security/responsible-disclosure/PSIRT page found; smiths.com/contact-us has no security contact and no vulnerability-reporting guidance (only a 2025 cyber-incident news page exists, not a VDP).”

“No vulnerability-reporting channel for Beazley's own systems. /.well-known/security.txt and /security.txt both return a soft-404 SPA shell (HTTP 200 but text/html with <title>404 error page | beazley</title>), not a real text/plain security.txt. HackerOne GraphQL: 'Team does not exist'. No Bugcrowd /engagements/ entry (404). No Synack subdomain (DNS fail). Own /security and /responsible-disclosure paths redirect to 404-error-page. The only Beazley 'security' offerings are its cyber-insurance breach-response product (bbr.claims@beazley.com), not a channel to report vulns in Beazley itself.”

“Real text/plain security.txt at /.well-known/: 'Contact: mailto:security@sage.com / Contact: mailto:soc@sage.com / Policy: https://www.sage.com/en-gb/trust-security/ / Expires: 2040-12-02'. Published VDP: 'Sage's vulnerability disclosure policy is following the latest vulnerability disclosure toolkit provided by the NCSC and the ISO/IEC 29147:2018... send an email at soc@sage.com... Sage will respond within 5 working days and aim to triage your report within 10 working days. Permission is required from Sage before using automated tools or scans, performing brute force attacks, or denial of service.' No safe harbor: 'complying with the policy is not intended to provide protection if you breach the law, nor does this policy give permission to act in any manner that is inconsistent with the law' — a legal constraint, not a non-pursuit carve-out. Scope + submit channel with no legal commitment = L2. Timeline cited is Sage's internal response SLA, not a published coordinated public-disclosure deadline. HackerOne hackerone.com/sage is an unclaimed community stub (submission_state:null, policy:null) — does NOT count.”

“No vulnerability-disclosure channel. Live security.txt at both paths returns HTTP 403 (Cloudflare/WAF); Wayback raw confirms no security.txt has ever been archived ('.well-known/security.txt was not found on this server'; root /security.txt has no snapshot). HackerOne GraphQL: 'Team does not exist'. No Bugcrowd /engagements/ (404), no Synack subdomain. The only 'responsible' / disclosure language IMI publishes concerns ethics/whistleblower hotlines and a 2025 breach-incident press release, not a vulnerability-reporting policy or PSIRT.”

“No vulnerability-disclosure channel. security.txt returns HTTP 404 at both paths on marksandspencer.com, www., and corporate. subdomains. HackerOne returns 'Team does not exist' for all handle forms (marksandspencer, marks-and-spencer, marks_and_spencer, mands, ms); hackerone.com/marksandspencer is a hard 404 ('<title>Page not found | HackerOne</title>'). A search engine surfaced a stale SEO title 'Marks & Spencer plc | Vulnerability Disclosure Policy' pointing at that dead HackerOne URL, but the live GraphQL and HTML both confirm no program exists. No Bugcrowd /engagements/ (404), no Synack subdomain. Post-2025-breach coverage discusses M&S reporting incidents to authorities, but there is no public channel to report vulnerabilities in M&S's own systems.”

“Company-authored Responsible Security Disclosure Policy (live, HTTP 200): report findings to responsible.disclosure@pearson.com with URL, version, reproduction steps/PoC, source IP, browser/OS; Pearson 'aims to respond to security reports within 24 hours' with a ticket reference; 'You must stop your investigations after finding the first security issue and request permission to continue testing.' Real VDP scope+submit = L2. NO safe harbor — the policy is explicitly anti-carve-out: 'research into Pearson Platforms and Services that does not comply with this policy may be considered malicious activity towards Pearson and legal action may be taken as necessary.' It cites 'the Computer Misuse Act (1990)' (plus GDPR, DPA 2018, CDPA 1988) as laws researchers must NOT break — a constraint, not a cfaaCarveout. Disclosure ask 'allow us a reasonable amount of time to resolve... before publicly disclosing it' has no fixed timeframe, so no published CVD deadline. HackerOne hackerone.com/pearsonplc: 'Team does not exist'. The pearsonplc.com security.txt (HTTP 200) is actually the homepage HTML (<title>Homepage | Pearson plc</title>), not a real text/plain security.txt.”

“No vulnerability-disclosure channel. security.txt returns HTTP 404 at both /.well-known/ and root on games-workshop.com (and investor. subdomain). HackerOne GraphQL: 'Team does not exist'. No Bugcrowd /engagements/ (404), no Synack subdomain. Web search for a security policy / responsible disclosure / 'report a vulnerability' / PSIRT returns only Games Workshop's 'Responsible Operations' (store-safety/ESG) and bribery policy pages — nothing about reporting security vulnerabilities.”

“No real channel. HackerOne handle 'sainsbury_s' is an unclaimed community-curated directory STUB: GraphQL returns submission_state:null, state:null, policy:null; external_program.about is a generic marketing blurb ('Follow us for delicious recipes, food inspiration, competitions and customer service'), not a security program. /.well-known/security.txt on sainsburys.co.uk returns HTTP 403 (Akamai edgesuite 'Access Denied'); about.sainsburys.co.uk/.well-known/security.txt returns an HTML SPA shell, not text/plain. No security.txt ever archived in Wayback. Bugcrowd /engagements/sainsburys = 404. Synack sainsburys.responsibledisclosure.com does not resolve (000). No own responsible-disclosure/PSIRT page found.”

“No channel of any kind. global.weir/.well-known/security.txt and root /security.txt both return the Weir '404 Error Page' HTML (title '404 Error Page | Weir'), not text/plain. No HackerOne team exists ('weir' = Team does not exist; 'weirgroup' = unclaimed stub, submission_state:null). Bugcrowd /engagements/weir and /weir-group = 404. Synack weir.responsibledisclosure.com does not resolve (000). Only governance/privacy pages exist on the corporate site; no responsible-disclosure, report-a-vulnerability, or PSIRT page.”

“No real channel. HackerOne handle 'ig' (name '#iG') is an unclaimed community-curated directory STUB: submission_state:null, state:null, policy:null. Handles 'iggroup' and 'ig-group' = Team does not exist. iggroup.com/.well-known/security.txt returns HTTP 000 (no response); www.ig.com/.well-known/security.txt and root /security.txt return the IG static '404' HTML page, not text/plain. No security.txt archived in Wayback. Bugcrowd /engagements/iggroup + /ig-group = 404. Synack ig/iggroup.responsibledisclosure.com do not resolve (000). Candidate own-site paths (/responsible-disclosure) return 404. No PSIRT page.”

“No channel of any kind. entaingroup.com/.well-known/security.txt and root /security.txt both return HTTP 404 (text/html). No HackerOne team ('entain' and 'entaingroup' both = Team does not exist). Bugcrowd /engagements/entain = 404. Synack entain.responsibledisclosure.com does not resolve (000). Candidate own-site paths (/responsible-disclosure, /sustainability-esg/cyber-security/) return 404. No security.txt archived in Wayback. No responsible-disclosure or PSIRT page found.”

“No real channel. HackerOne handle 'investectreasury' is an unclaimed community-curated directory STUB: submission_state:null, state:null, policy:null. investec.com/.well-known/security.txt and root /security.txt return an HTML SPA page (Adobe helix-rum/OneTrust shell), not text/plain. The only security-related page, investec.com/.../legal/security-centre.html (read via Wayback snapshot 20250907 since the live site WAF-blocks at 403), is a CONSUMER fraud-protection page covering ShellShock/Bash, phishing, money mules, identity theft and 'phishing@investec.co.za' for phishing reports - it contains NO vulnerability-disclosure policy: no 'report a vulnerability', no scope, no security-researcher contact, no safe harbour, no testing authorization (zero matches for 'responsible disclosure'/'security researcher'/'bug bounty'). No dedicated responsible-disclosure page exists at any region (en_gb/en_za/en_us) - none archived in Wayback. Bugcrowd /engagements/investec = 404. Synack investec.responsibledisclosure.com does not resolve (000).”

“A REAL security.txt exists at /.well-known/security.txt - served text/plain; charset=utf-8 with a valid Contact line. Full contents: 'Canonical: /.well-known/security.txt | Contact: mailto:hostingalerts@sampsonmay.com | Expires: 2030-01-01T10:10:00Z | Preferred-Languages: en'. Contact-only (L1): the file gives a reporting address but NO linked policy, NO scope, NO legal commitment, NO safe harbour, NO testing authorization, NO disclosure timeline. The Contact points to hostingalerts@sampsonmay.com - Sampson May is Melrose's corporate-website design agency, indicating this is a boilerplate file deployed with the site template rather than a Melrose-authored vulnerability policy. Root /security.txt returns 404; the well-known path is the canonical one.”

“Real text/plain security.txt at https://www.sjp.co.uk/security.txt (root /security.txt 301-redirects to www). Contents: 'Please report any security vulnerabilities to us via the contact method below... Contact: mailto:security@sjp.co.uk / Contact: mailto:dpo@sjp.co.uk'. Pure contact channel: no scope, no testing authorization, no safe harbor, no timeline = L1. No HackerOne/Bugcrowd/Synack program exists.”

“No vulnerability-reporting channel found. /.well-known/security.txt and /security.txt both 404 (HTML). No HackerOne or Bugcrowd program (all slug variants NOT_FOUND/no engagement). No own responsible-disclosure or PSIRT page; only privacy/sustainability policies surfaced. Synack subdomain does not resolve.”

“HackerOne hackerone.com/babcockinternationalgro is an unclaimed community-curated STUB: GraphQL returns submission_state:null, state:null, policy:null — not a real program (Trap A). No own responsible-disclosure/PSIRT page found; Information Security Factsheet PDF contains no reporting contact. /.well-known/security.txt and /security.txt both 404 (HTML) on apex and www. No Bugcrowd/Synack channel.”

“No vulnerability-reporting channel found. The full Policies & Disclosures index at icgam.com lists ~30 policies (Privacy, Complaints, Order Execution, Responsible Investing, regulatory disclosures) but NO responsible-disclosure / vulnerability / security-reporting policy. /.well-known/security.txt and /security.txt both 404 (HTML). No HackerOne/Bugcrowd/Synack program.”

“No vulnerability-reporting channel found (Lion Finance Group plc, formerly Bank of Georgia Group). Homepage/footer links only to Modern Slavery Statement, Privacy Notice, Accessibility, Site Map — no responsible-disclosure/security page. /.well-known/security.txt and /security.txt both 404 (large SPA HTML shell, not text/plain). No HackerOne/Bugcrowd/Synack program under lionfinancegroup or bankofgeorgia.”

“Real authored Responsible Disclosure Policy at kingfisher.com/responsible-disclosure (mirrored at diy.com/B&Q and Screwfix): 'If you identify an issue or security vulnerability in any of Kingfisher's online assets, please report this to us using the submission form below... The provisions of this Responsible Disclosure Policy are intended to supplement BugCrowd's terms and conditions.' Optional bounty: 'Kingfisher may issue monetary compensation... at its sole discretion.' Has scope + submission method (Bugcrowd-backed on-site form) but NO safe harbor / NO testing authorization / NO CMA/CFAA/DMCA carve-out / NO disclosure timeline — instead 'Kingfisher reserves all of its rights to take action against security researchers who do not comply.' Real VDP = L2. No public Bugcrowd /engagements page (managed/private intake); no security.txt.”

“HackerOne hackerone.com/landsecurities is a community-curated STUB: GraphQL returns submission_state:null, state:null, policy:null (with only an external_program ref and SEO name 'Land Securities Group plc' — these do NOT make it real). No own security/responsible-disclosure page: landsec.com is a Next.js SPA returning HTTP 200 for all routes, but /responsible-disclosure renders the 404 'Not Found — This Page doesn't exist' shell. /.well-known/security.txt and /security.txt return HTTP 200 but text/html (SPA shell), not text/plain with Contact:. No Bugcrowd /engagements/ slug, no Synack responsibledisclosure.com subdomain (DNS NXDOMAIN).”

“No vulnerability-reporting channel. computacenter.com/security exists (HTTP 200) but is a commercial security-services MARKETING page ('six key security challenges... Cyber Defence, Infrastructure Security...'), with no vulnerability-reporting process, security contact, scope, or safe-harbor language. /.well-known/security.txt and /security.txt both return HTTP 404 (text/html). No HackerOne program (computacenter/computacenterplc/computacentre all NOT_FOUND), no Bugcrowd /engagements/ slug, no Synack subdomain.”

“No vulnerability-reporting channel found. /.well-known/security.txt returns an IIS 'The specified URL cannot be found' error page; /security.txt returns HTTP 404 ('The resource you are looking for has been removed...'). /security and /responsible-disclosure return HTTP 404. No HackerOne program (howdens, howdensjoinery NOT_FOUND), no Bugcrowd /engagements/ slug, no Synack subdomain. Web search surfaced only a privacy policy and a dataprotection@howdens.com privacy contact — no security/responsible-disclosure policy.”

“No vulnerability-reporting channel. /.well-known/security.txt and /security.txt both return the Croda '404 — Page not found' HTML page (<title>Page not found | Croda</title>), not text/plain with Contact:. /en-gb/security and /en-gb/responsible-disclosure return HTTP 404. No HackerOne program (croda, crodainternational NOT_FOUND), no Bugcrowd /engagements/ slug, no Synack subdomain. Web search surfaced only sustainability/ESG policy documents — no security disclosure policy.”

“No vulnerability-reporting channel. www.londonmetric.com/.well-known/security.txt and /security.txt both return HTTP 404 (text/html); /security and /responsible-disclosure return HTTP 404 (apex landsec.com without www fails to connect; site lives at www.londonmetric.com which returns 200). No HackerOne program (londonmetric NOT_FOUND), no Bugcrowd /engagements/ slug, no Synack subdomain. Web search surfaced only Responsible Business / ESG and Terms & Conditions pages — no security disclosure policy.”

“No vulnerability-reporting channel. aberdeenplc.com/security exists but is a CUSTOMER fraud/scam-awareness page only ('Getting help and reporting fraud', 'Staying safe online') — no security-researcher contact, scope, safe harbor, or vulnerability-reporting process; fraud contact is emailscams@aberdeenplc.com (consumer scam reporting, not vuln disclosure). /.well-known/security.txt and /security.txt return HTTP 200 but text/html (Next.js SPA shell), not text/plain with Contact:. No HackerOne program (aberdeen/aberdeengroup/aberdeenplc/abrdn/aberdeenstandard/standardlifeaberdeen all NOT_FOUND or null), no Bugcrowd /engagements/ slug, no Synack subdomain.”

“No vulnerability-reporting channel found. security.txt at both /.well-known/security.txt and /security.txt on metlen.com and metlengroup.com returns the site's HTML 404/homepage page (text/html, not text/plain, no Contact: line). Own-site paths /responsible-disclosure and /security return HTTP 404. No HackerOne team (GraphQL: 'Team does not exist'). No Bugcrowd /engagements/metlen (404). No Synack metlen/mytilineos.responsibledisclosure.com (DNS does not resolve). Only governance/whistleblowing/compliance pages exist, no security-vulnerability channel.”

“No vulnerability-reporting channel found. Homepage at www.tritaxbigbox.co.uk loads (HTTP 200), but security.txt at both /.well-known/security.txt and /security.txt returns HTTP 403 (WAF block, text/html) with no served file at those paths and no Wayback-archived copy. No HackerOne team (GraphQL: 'Team does not exist'). No Bugcrowd /engagements/tritax or /tritaxbigbox (404). No Synack tritax/tritaxbigbox.responsibledisclosure.com (DNS does not resolve).”

“No vulnerability-reporting channel found. security.txt at both /.well-known/security.txt and /security.txt on www.britishland.com returns a clean HTTP 404 (confirmed live and via empty Wayback raw fetch). Own-site paths /responsible-disclosure and /security return HTTP 404. No HackerOne team (GraphQL: 'Team does not exist'). No Bugcrowd /engagements/britishland or /british-land (404). No Synack britishland.responsibledisclosure.com (DNS does not resolve).”

“No vulnerability-reporting channel found. Corporate site jdplc.com is fully WAF-walled (homepage and all paths return HTTP 403); no Wayback-archived security.txt exists. Consumer site www.jdsports.co.uk serves an HTML page shell at /.well-known/security.txt (text/html SPA, not a text/plain file with a Contact: line), so it is not a real security.txt. No HackerOne team for jdsports or jdplc (GraphQL: 'Team does not exist'). No Bugcrowd /engagements/jdsports, /jd-sports, or /jdplc (404). No Synack jdsports.responsibledisclosure.com (SSL handshake failure, no valid cert/host).”

“Real text/plain security.txt at the consumer domain (corporate burberryplc.com is WAF-403). Full contents: 'Contact: appsec@burberry.com / Bounties: Burberry do not currently operate a Bug Bounty program and do not permit unauthorized testing. / Reports: However, if you do identify a potential security issue, we welcome your feedback. / Hiring: ... / #v1.0'. Provides only a reporting contact email; the policy explicitly states testing is NOT authorized ('do not permit unauthorized testing') and offers no scope, no safe harbour, and no legal commitment — contact-only = L1. The HackerOne handle 'burberry' is an unclaimed community-curated stub (GraphQL submission_state:null / policy:null) and does not count.”

“No vulnerability-reporting channel found for the holding company. security.txt at both /.well-known/security.txt and /security.txt on www.iairgroup.com returns a clean HTTP 404. Own-site /responsible-disclosure and /security return HTTP 404. The HackerOne handle 'iag' is an unclaimed community-curated stub (GraphQL submission_state:null / policy:null) and does not count. No Bugcrowd /engagements/iag or /iairgroup (404). Operating-company British Airways security.txt returns a WAF 'Information Page' HTML, not a real text/plain file. No Synack iag/iairgroup.responsibledisclosure.com (DNS does not resolve).”

“No external vulnerability-reporting channel. The corporate-governance page only references internal 'Information Security Committee' and 'Disclosure Committee' minutes presented to the Board quarterly — internal governance, not a researcher-facing VDP. security.txt at both /.well-known/security.txt and /security.txt returns the WordPress/Gravity-Forms HTML site shell (200 HTML, not text/plain, no Contact: line). No HackerOne/Bugcrowd/Synack program.”

“No security/responsible-disclosure/PSIRT page found. Privacy policy states only that the company 'takes reasonable technical and organisational measures to protect Personal Data' — no researcher channel. Public contacts are general/feedback only (feedback@persimmonhomes.com). security.txt at /.well-known/ and root redirects (301) to www, which returns an IIS '404 - File or directory not found' HTML page — no real security.txt. No HackerOne/Bugcrowd/Synack program.”

“Real VDP with scope + submission instructions, no legal commitment. 'If you discover a site vulnerability ... please notify us via information.security@whitbread.com.' Researcher guidelines are prohibitions, not authorization: 'Do not attempt to access, modify, destroy, or disclose our users’ information. Do not attempt to deface or degrade our services. Do not violate applicable law.' No safe-harbor / non-pursuit promise. No Computer Misuse Act / CFAA / DMCA carve-out. 'You should receive a response within two business days' is a response SLA, not a coordinated-disclosure deadline. Explicitly no bug bounty ('we do not operate bug bounty programme at this time'). → L2.”

“No responsible-disclosure / PSIRT / security.txt found despite being a MedTech device maker. Privacy policy and documents-and-disclosures pages list no researcher channel; only general (cic@convatec.com) and data-privacy (dataprivacy@convatec.com) contacts exist. security.txt at /.well-known/ and root → 301 → www returns the Convatec Group homepage HTML (200 HTML, not text/plain, no Contact: line). No HackerOne/Bugcrowd/Synack program.”

“Auto Trader Group plc's operating entity (Auto Trader Limited) publishes a real VDP + Hall of Fame on the consumer site autotrader.co.uk. 'Please send your reports to our Customer Security team: customersecurity@autotrader.co.uk.' Researcher guidance is good-faith-conduct framing, not authorization: 'Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.' Prohibitions include denial of service, brute forcing, spamming, social engineering, physical attacks. No safe-harbor / non-pursuit promise; no Computer Misuse Act / CFAA / DMCA carve-out. Disclosure ask: 'Provide us a reasonable amount of time to resolve the issue before any disclosure' — unspecified, no published deadline. → L2. NOTE: the HackerOne hackerone.com/autotrader_uk page (SEO title 'Auto Trader Limited | Vulnerability Disclosure Policy') is a community-curated STUB — GraphQL returns submission_state:null, state:null, policy:null — NOT a real program.”

“No responsible-disclosure / vulnerability-disclosure / security.txt / report-a-security-issue policy. The Policies and Documents page lists corporate/ESG policies (Anti-Bribery, Code of Conduct, Whistleblowing, Modern Slavery, etc.) but no security-vulnerability-reporting policy or contact. security.txt at /.well-known/ and root → 301 → www returns an Investis-hosted 'Page not found – Barratt Redrow plc' HTML page (no text/plain, no Contact: line). No HackerOne/Bugcrowd/Synack program.”

“Listed domain dccplc.com has no DNS A record (NXDOMAIN-equivalent; curl returns HTTP 000, no connection). DCC plc's real corporate site is www.dcc.ie (Dublin HQ, FTSE 100 sales/distribution group), which returns HTTP 404 text/html on BOTH /.well-known/security.txt and /security.txt. HackerOne hackerone.com/dccplc is an UNCLAIMED community-curated STUB: GraphQL team(handle:"dccplc") returns submission_state:null, state:null, policy:null (name 'DCC plc' is an SEO label only, not a real program). Bugcrowd /engagements/dcc = 404. Synack dcc.responsibledisclosure.com = no host (HTTP 000). No company security/responsible-disclosure page found.”

“No security.txt on any Hiscox domain: hiscoxgroup.com, hiscox.com, and hiscox.co.uk all return HTTP 404 text/html on /.well-known/security.txt and /security.txt (genuine HTML 404 page: '<title>404 Not Found</title> ... The requested URL was not found on this server'). The hiscoxgroup.com footer/nav contains only About/Careers/Investors/News/Responsibility and a Legal menu (Glossary, Accessibility, Privacy, Cookies, Site Map, Terms, RSS, Modern Slavery Act) — no security, responsible-disclosure, vulnerability-reporting, or PSIRT page. HackerOne hiscox / hiscoxgroup = 'Team does not exist'. Bugcrowd /engagements/hiscox + hiscoxgroup = 404. Synack hiscox.responsibledisclosure.com = no host.”

“Alliance Witan plc (investment trust, ticker ALW) site is a Next.js SPA. Both /.well-known/security.txt and /security.txt return HTTP 404 text/html — the response is the site's standard Next.js 404 page ('404 / Oops! Page not found.', logo alt 'Alliance Witan (ALW) logo'), not a text/plain security.txt. The /contact-us page lists only investor-inquiry contact details and no security, responsible-disclosure, vulnerability-reporting, or PSIRT channel. HackerOne alliancewitan + alliance-witan = 'Team does not exist'. Bugcrowd /engagements/alliance-witan = 404. Synack alliancewitan.responsibledisclosure.com = no host.”

“Polar Capital Technology Trust plc (investment trust managed by Polar Capital LLP). No security.txt on the trust site (polarcapitaltechnologytrust.co.uk /.well-known/security.txt + /security.txt both 404 text/html) nor on the manager domains (polarcapital.co.uk and polarcapitalfunds.com both 404). The trust's only reporting-related page, /Protect-against-Fraud/, addresses investment/financial fraud and impersonation scams ONLY — it has no technical security-vulnerability or responsible-disclosure channel. NOTE: a 'Polar' VDP exists at polar.com/uk-en/legal/vulnerability-disclosure but that is the Polar sports-watch/fitness company, an UNRELATED entity (not Polar Capital). HackerOne polarcapital = 'Team does not exist'. Bugcrowd /engagements/polar-capital + polarcapital = 404. Synack polarcapital.responsibledisclosure.com = no host.”