The world's biggest companies, graded on vulnerability disclosure

“Contact: mailto:aws-security@amazon.com | AWS Vulnerability Disclosure Program: https://hackerone.com/aws_vdp | Policy: https://vdp.aws.security/”

“Walmart Responsible Disclosure Policy: 'We will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy.' Promissory non-pursuit, but testing NOT explicitly authorized, no CFAA/DMCA/ToS carve-out, no timeline → L3. security.txt live, Contact → policy.”

“This policy prohibits the performance of the following activities: Hacking, penetration testing, or other attempts to gain unauthorized access to UnitedHealth Group software or systems; Active vulnerability scanning or testing; | If you have discovered an issue that you believe is an in-scope vulnerability, please email securityreporting@optum.com | The following types of vulnerabilities are considered out of the scope for the purposes of this program: Volumetric vulnerabilities (e.g., Denial of Service or Distributed DoS); Reports of non-exploitable vulnerabilities... | The time to address a valid, reported vulnerability will vary based on impact of the potential vulnerability and affected systems. | For the security of our customers, UnitedHealth Group will not disclose, discuss, or confirm security issues. | Security researchers must not violate any law, or access, use, alter or compromise in any manner any UnitedHealth Group data.”

“For Product categories, the issue must affect the latest publicly available version (including beta versions) of iOS, iPadOS, macOS, tvOS, visionOS, or watchOS, with a standard configuration and on publicly available Apple hardware or Security Research Device. | For Services, the issue must relate to a web server or service owned by Apple or an Apple subsidiary. | Submit your report online to help ensure that you receive timely updates, can add additional information as needed, and can communicate with Apple security engineers about your report. | We make it a priority to resolve security and privacy issues as quickly as possible, and most reports are resolved within 90 days. | Publicly disclosing security issues before a fix is available makes you ineligible for all Apple Security Bounty rewards.”

“Google & Alphabet VRP (Bug Hunters), live since 2010. Scope: 'any Google-owned or Alphabet (Bet) subsidiary web service that handles reasonably sensitive user data'. Authorization language is RESTRICTIVE only: 'The Vulnerability Reward Program does not authorize the testing of Google Cloud customer applications...'. No affirmative safe-harbor, no 'will not pursue legal action', no CFAA/DMCA/ToS carve-out, no CVD deadline in the VRP policy. security.txt: Contact https://g.co/vulnz + security@google.com; Policy https://g.co/vrp.”

“we encourage you to report it by using this page. Your report will be forwarded for timely acknowledgement and verification. Verified issues will then be passed to our development teams for remediation on a timeline commensurate with the severity of the issue. | Any exfiltration or downloading of CVS Health/Aetna data, disclosure of confidential information, and/or disrupting our customers' experience are all outside the scope of this program and outside any protections it affords from legal recourse. | You are expected to engage in security research responsibly. | Per our policy, if you wish to take part in the CVS Health Vulnerability Disclosure Program, you are expected to follow these guidelines”

“No public channel. hackerone.com/berkshirehathaway is a legacy directory stub (GraphQL submission_state=null, policy=null, scopes=[]). security.txt 404 at all paths (genuine Apache 404, not WAF). Search hits claiming a VDP are AI inferences from the empty stub. Prior 'none' confirmed.”

“please submit it in the form below or email VulnerabilityReporting@McKesson.com | We will contact you to confirm that we've received your report and trace your steps to reproduce your research. We will work with the affected teams to validate the report. We will notify you of remediation | Do not hack, penetrate, or attempt to gain access to McKesson infrastructure, systems, or data | you agree to comply with McKesson's Terms of Service, McKesson's Privacy Policy, and all applicable state, federal, or international laws and regulations | you may not publicly disclose your findings or the contents of your Submission to any third parties. McKesson's program does not permit disclosure to any party outside of McKesson”

“No public channel. hackerone.com/exxonmobil is an unclaimed community stub — real-Chrome render reads 'There are no known guidelines for reporting potential security vulnerabilities to this organization.' + 'This page is not affiliated with ExxonMobil.' GraphQL: empty policy/email, offers_rewards=false. security.txt 404. Prior 'none' confirmed.”

“No org-operated channel. Only artifact is an unclaimed HackerOne community stub at hackerone.com/healthcareabc (AmerisourceBergen) — real-Chrome render: 'There are no known guidelines...' + 'This page is not affiliated...' + 'Claim this page'. No scope/submit/policy/email. Below L1. Prior 'none' confirmed.”

“Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions , Microsoft Bounty Legal Safe Harbor , Rules of Engagement , Bounty Program Guidelines | Cloud Programs Up to $100,000 USD ... Endpoint & On-Prem Programs Up to $250,000 USD ... Zero Day Quest Up to $100,000 USD | Report vulnerabilities privately and allow time for remediation before public disclosure. Adhere to our Rules of Engagement and program scope to ensure eligibility for awards. | Do not access, modify, or exfiltrate customer data. Never disrupt services or compromise uptime.”

“Typical Vulnerabilities Accepted: OWASP Top 10 vulnerability categories Other vulnerabilities with demonstrated impact | Typical Out of Scope: Theoretical vulnerabilities Informational disclosure of non-sensitive data Low impact session management issues Self XSS (user defined payload) | Work directly with the JPMorgan Chase Responsible Disclosure Program on vulnerability submissions | you will be allowed to disclose the vulnerability after a fix has been issued | Adhere to all legal terms and conditions outlined at ResponsibleDisclosure.JPMorganChase.com”

“LIVE HackerOne VDP (GraphQL submission_state=open, public_mode, offers_bounties=false). Safe Harbor: 'We do not intend to assert claims under computer abuse laws for activities conducted in a manner consistent with this policy... if legal action is initiated by a third party... we will take steps to make it known that your actions were conducted in compliance with this policy.' Promissory + CFAA reference, but testing NOT explicitly authorized, no DMCA/ToS carve-out → L3. security.txt at www.costco.com/security.txt (root). Prior L1 undercounted → L3.”

“VDP at cigna.com/legal/members/responsible-vulnerability-disclosure. Safe harbor: 'We will not pursue legal action against you if you act in good faith... comply with these Guidelines...'. CVD timeline: 'Please provide us a minimum of 90 days... After this 90 day period, you may publicly disclose...'. Submit via security@cigna.com (PGP). No explicit testing authorization, no CFAA/DMCA/ToS carve-out → L3 (has a 90-day clock but testing not authorized). Prior L1 undercounted → L3.”

“Coordinated Vulnerability Disclosure process: report via email to GMB-MedicalDeviceSecurity@cardinalhealth.com; scope = supported/connected medical devices. No safe-harbor or testing authorization. (hackerone.com/cardinal_health is a non-operational directory placeholder.)”

“This is a responsible disclosure program without bounties. | Your Submission must be for an Asset (herein referred to as "product" and/or "technology") that is identified as in scope of the NVIDIA Program(s). | You are required to report a discovered Vulnerability in a prompt and transparent manner through the Platform. | You agree to conduct your research within the bounds of Ethical Hacking. | You agree to practice coordinated disclosure in all of your security research conducted under the Program”

“First-party Meta Bug Bounty (not HackerOne). Testing auth + CFAA: 'We consider these terms to provide you authorization, including under the Computer Fraud and Abuse Act (CFAA)... to test the security of the products and systems identified as in-scope.' Safe harbor: 'we will not initiate a complaint to law enforcement or pursue a civil action against you.' DMCA: 'Meta will also not pursue... DMCA claims against you for circumventing the technological measures...'. ToS waiver: 'To the extent activities authorized by these Meta Bug Bounty terms are inconsistent with other terms of service... we waive those restrictions.' No day-count deadline → L4. Prior directory-L2 was a major miss.”

“No channel. Only HackerOne presence (antheminc, former name) is a community stub ('There are no known guidelines...', 'not affiliated with Anthem'). security.txt 404 (elevancehealth.com + anthem.com). Own cybersecurity page is internal governance only. Prior 'none' confirmed.”

“Active HackerOne VDP at hackerone.com/centene_vdp (HTTP 200, type VDP). 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you' + third-party defense = safe harbor + authorization (L3). policy_versions grep: zero CFAA/DMCA/ToS/timeline → no L4/L5. Prior 'none' matched the empty /centene stub, not the real _vdp program.”

“hackerone.com/bofa is an empty stub (GraphQL submission_state=null, validated against working controls). bankofamerica handle NOT_FOUND. Bugcrowd 404 (3 slugs). Synack ECONNREFUSED. security.txt 404. security-center is consumer fraud/phishing only, no researcher channel. Prior L1 was a false channel → L0.”

“hackerone.com/chevron is an unclaimed community stub (real-Chrome: 'There are no known guidelines...', 'not affiliated with Chevron', no submit). Bugcrowd 404. Synack ECONNREFUSED. No security.txt (404 www+apex). Own cybersecurity page is internal-only. Prior 'none' confirmed.”

“Live HackerOne VDP ('Ford - Vulnerability Disclosure Program'; also a Bugcrowd coordinated-disclosure engagement). Safe harbor (via FireBounty mirror + WebFetch): 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you' + third-party support. Scope *.ford.com/*.lincoln.com + FordPass + vehicle hardware. No CFAA/DMCA/ToS, no deadline → L3. Prior 'none'/timeout was wrong.”

“Live public HackerOne VDP (submission_state=open, public_mode). 'GM agrees not to pursue civil action against researchers who comply...'; activities consistent with the policy are '"authorized" conduct under the Computer Fraud and Abuse Act'; '...we will not bring a DMCA claim...'. No explicit ToS carve-out and no published CVD deadline (disclosure gated on remediation).”

“Live Bugcrowd VDP (state in_progress, open, scope 'Any Citigroup owned asset', no_reward). Citi's authored policy DISCLAIMS authorization/safe harbor: 'this program should not be construed as encouragement or permission to perform... Hack, penetrate or otherwise attempt to gain unauthorized access... Citi does not waive any rights or claims.' → real VDP but no safe harbor = L2 (authored prose governs over Bugcrowd's generic badge).”

“No current channel. security.txt 404 (live only in a single 2023 snapshot, gone since). Synack host homedepot.responsibledisclosure.com now NXDOMAIN (VDP decommissioned). No HackerOne/Bugcrowd. TechCrunch (2025-12-12): 'Home Depot does not have a way to report security flaws, such as a vulnerability disclosure or bug bounty program.' Prior 'none' confirmed.”

“Working vulnerability-report web form on own domain (fields for location/URL, repro steps, impact, PoC, reporter email). No safe-harbor/no-legal-action promise, no testing authorization; reports may be shared with law enforcement. (hackerone.com/fanniemae is a directory placeholder.)”

“Live Bugcrowd VDP (no_reward, open). Explicit authorization: 'Testing is authorized on the websites and applications in scope.' Safe harbor: 'We consider any security research conducted in good faith and in compliance with this Policy to be authorized conduct and we will not initiate legal action against you... If legal action is initiated by a third party... we will take steps to make it known that your actions were authorized.' No CFAA/DMCA/ToS carve-out; disclosure gated on consent (no timeline) → L3. security.txt routes Contact to bugcrowd.com/kroger-vdp. Prior L1 undercounted → L3.”

“Official 'Report Security Vulnerability' page; submit via vecirt-incident@verizon.com (routed to CIRT). Explicitly anti-safe-harbor: 'Verizon does not endorse, solicit, or request independent testing... for security vulnerabilities' and requires following all Terms and Conditions. No carve-out, no timeline.”

“CONFIRMED LIVE HackerOne VDP: GraphQL team(handle:'phillips66co') resolves to a real registered program 'Phillips 66' (energy co, distinct from healthcare 'philips'). No-bounty VDP. BUT policy markdown is UNREADABLE via every unauthenticated channel (live + Wayback are JS shells; GraphQL policy:null), so exact level could not be read — ≥L2 floor, L3/L4/L5 indeterminate. Level NOT guessed (unverified). security.txt 404. Bugcrowd 404.”

“No channel for MPC. No owned VDP/PSIRT/security page — corporate ToU is anti-testing: prohibits 'attempting to probe, scan, or test the vulnerability of any system' and 'will cooperate with law enforcement'. HackerOne /marathonpetroleum = Page not found. Bugcrowd 404. Synack no DNS. security.txt absent (Wayback 404 both 2023 snapshots). Prior 'none' confirmed (hostile posture).”

“Live security.txt (200): 'Contact: mailto:itsecurity@stonex.com / Encryption: .../itsecurity.pgp / Hiring: ...'. NO Policy: field, no scope, no submission form, no safe-harbor. Contact-only. No owned VDP, no HackerOne/Bugcrowd, no Synack. Prior L1 confirmed.”

“State Farm will not take legal action against you or revoke access to State Farm applications | If you have noticed an information security issue in a State Farm system while using www.statefarm.com or a State Farm mobile application, we want to hear about it | Please disclose issues using the Vulnerability Disclosure Communication form located on this web page | State Farm will work to address the issue in a timely fashion | We reserve all legal rights in the event of noncompliance”

“VDP on own domain: 'applies to all internet-facing assets...'. Triaged by Bugcrowd; no bounty. No safe-harbor/no-legal-action promise, no testing authorization, no carve-out, no timeline.”

“security.txt resolves at ROOT (humana.com/security.txt; /.well-known/ 404s), HTTP 200: 'Contact: mailto:bugbounty@humana.com / Expires: 2026-01-01 / Hiring: ...'. No Policy: field, no public HackerOne/Bugcrowd program. Contact-only. (Expires date is in the past.)”

“Real open HackerOne program (GraphQL submission_state=open, public_mode, bounties $50-$3,000). Scope + submit path = L2. NO safe harbor/authorization/carve-out. Restrictive: 'You may only exploit... your own accounts. Testing must not violate any law...' + injunctive-relief threat. No security.txt. Prior L1 undercounted.”

“Real open HackerOne program (GraphQL submission_state=open, public_mode, bounties). Scope (*.gs.com, *.goldmansachs.com) + Submit = L2. No promissory safe harbor (only HackerOne boilerplate). No carve-out, no timeline ('will not be publicly disclosing reports at this time'). Prior L1 undercounted.”

“Real public Bugcrowd program 'Comcast Xfinity VDP' (slug comcastvdp, participation=open, 1,459 rewarded). Brief safeHarborStatus='full' (= CFAA/CMA + DMCA + ToS/AUP carve-outs per Bugcrowd/disclose.io definition). 'Testing is only authorized on the targets listed as in scope.' No published disclosure deadline → L4. xfinity.com/vulnerabilityreport routes here. (hackerone.com/comcast is a null stub.) Prior L1 was a major miss.”

“First-party policy: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.' + third-party defense language. Testing authorized + non-pursuit = L3. No CFAA/DMCA/ToS carve-out, no disclosure timeline. Email submission; public disclosure prohibited without permission. Prior L1 undercounted.”

“Typical Vulnerabilities Accepted: OWASP Top 10 vulnerability categories Other vulnerabilities with demonstrated impact | Typical Out of Scope: Theoretical vulnerabilities Informational disclosure of non-sensitive data Low impact session management issues Self XSS (user defined payload) | To work directly with ResponsibleDisclosure.com on vulnerability submissions in good faith | you will be allowed to disclose the vulnerability after a fix has been issued | Not to engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems”

“No channel. security.txt 404 both paths (HTML). HackerOne valero = team does not exist; valeroenergy = null community stub. Bugcrowd 404. Synack no DNS. Legal Notice PROHIBITS testing ('Probes, scans, or tests the vulnerability... without proper authorization'); only generic privacy emails. Prior 'none' confirmed.”

“Contact: https://www.dell.com/support/dell-vulnerability-response-policy # Bug Bounty Program - Applications | Contact: https://bugcrowd.com/dell-com # Bug Bounty Program - Products | Contact: https://bugcrowd.com/dell-product | Policy: https://www.dell.com/support/dell-vulnerability-response-policy”

“Policy on own domain (security.target.com/vdp/). Scope: 'any of Target's guest-facing online services.' Safe harbor: 'Target will not take legal action against you related to any activities conducted in a manner consistent with this Policy and otherwise in good faith.' Submissions via HackerOne. No explicit authorization to test or statutory carve-outs.”

“security.txt at /.well-known/ (confirmed via Wayback; live edge WAF-blocks non-browsers). Policy tesla.com/legal/security: 'pre-approved, good-faith security researcher... has not accessed a computer without authorization... under the CFAA' (CFAA) and 'will not bring a copyright infringement claim under the DMCA... who circumvents security mechanism' (DMCA). Authorization gated on pre-registration; no explicit ToS waiver; disclosure 'reasonable time' (no fixed deadline) → L3. Public Bugcrowd program bugcrowd.com/tesla.”

“Real open HackerOne program (GraphQL submission_state=open, public_mode, 'The Walt Disney Company'). Conditional non-pursuit: 'If we conclude, in our sole discretion, that you have complied... TWDC will not pursue claims against you in response to your report.' Testing NOT broadly authorized; no carve-outs; SLAs are response targets not a CVD deadline. Scope incl. Disney+, ESPN, Marvel, etc. Prior L1 undercounted → L3.”

“Vulnerability Reporting Program scope = 'J&J's infrastructure, websites, public APIs, and applications'; report via vulnerability_reporting@its.jnj.com (devices via productsecurity@jnj.com). 10-business-day acknowledgment; asks to 'Comply with all laws.' No safe-harbor language. Also runs hackerone.com/jnj.”

“HackerOne 'pepsico_vdp' (GraphQL submission_state=open, public_mode). Real VDP with scope/rules but NO safe-harbor/legal/authorization language → L2. Bare 'pepsico' = team does not exist; no security.txt (404); no Synack/Bugcrowd. Prior L1 undercounted.”

“Boeing will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. | We consider activities conducted consistent with this policy to constitute authorized access under anti-hacking laws. | To the extent your activities are inconsistent with certain Boeing terms and conditions, we waive those restrictions for the limited purpose of permitting security research under this policy. | Provide Boeing reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.”

“HackerOne 'ups' (UPS VDP, GraphQL open/public_mode). Safe Harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party... we will take steps to make it known that your actions were conducted in compliance with this policy.' Authorization + non-pursuit but no CFAA/DMCA/ToS carve-out, no deadline → L3. No security.txt (404). Prior L1 undercounted.”

“VDP on own domain with embedded web form. Scope: 'public facing RTX product, system, or asset'. Asks to 'Provide RTX reasonable time to resolve.' No safe-harbor, no authorization, no timeline. Also listed on hackerone.com/rtx.”

“VDP managed by Synack. Scope *.fedex.com. Safe harbor: 'Synack will not bring a private action against you or refer the matter for public inquiry.' Submit via fedex.responsibledisclosure.com. (Trust Center landing page intermittently 503s.)”

“Only an empty HackerOne community stub (hackerone.com/progressivecorp — GraphQL state=null, policy=null, external_program). Own /security/ 404; security.txt both paths = branded 404. No real HackerOne program (4 slugs none); no Bugcrowd (404); no Synack (NXDOMAIN). Prior 'none' confirmed.”

“HackerOne 'lowes' (Lowe's Companies VDP, GraphQL open/public_mode). Non-pursuit: "Lowe's will not take legal action against or suspend or terminate the accounts of those who discover and report security vulnerabilities in accordance with this Vulnerability Disclosure Policy." Full scope + SLAs (real VDP). No explicit testing authorization, no CFAA/DMCA/ToS carve-out, no deadline → L3. (lowes.com security.txt bleeds through to an unrelated TIAA-CREF stub — not Lowe's.) Prior L1 undercounted.”

“No channel. HackerOne 'Team does not exist' (4 slugs). No Bugcrowd (404). No Synack (NXDOMAIN). security.txt behind F5 WAF 403 with no real file. Only a corporate privacy mailbox (not a researcher channel). Prior 'none' confirmed.”

“we consider this research conducted under this policy to be: Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy | Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls | Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis | Public disclosure may be allowed upon request, and only after granted written permission to do so from P&G”

“Only an empty HackerOne community stub (hackerone.com/sysco — GraphQL state=null, policy=null, external_program). security.txt path returns 200 but is SPA HTML (not a real file). No real HackerOne (syscocorp none); no Bugcrowd (404); no Synack (NXDOMAIN). Prior 'none' confirmed.”

“hackerone.com/americanexpress is an empty community-curated stub (GraphQL submission_state=null, policy='', external_program, scopes=[]). security.txt both paths 302→404 (Akamai). Amex security-center is consumer fraud guidance; sole email spoof@americanexpress.com is phishing, not vuln disclosure. Bugcrowd 404; Synack ECONNREFUSED. Prior L1 was a false channel → L0.”

“Responsible Disclosure powered by Synack. Submit via form. Safe harbor: '...Synack will not bring a private action against the reporter or refer the matter for public inquiry.' Disclosure only after fix. (Site 403s bots.)”

“No channel. Footer exposes only Privacy/Terms/Compliance, no security link. HackerOne /adm + /archer_daniels_midland 404 (no program/stub). Bugcrowd /engagements/adm 404. Synack ECONNREFUSED. security.txt both paths clean 404 (not WAF). Prior 'none' confirmed.”

“hackerone.com/metlife is an empty community stub — real-Chrome render verbatim: 'There are no known guidelines for reporting potential security vulnerabilities to this organization.' + 'not affiliated with MetLife... Claim this page', no Submit button (submission_state null). Bugcrowd 404. Synack ECONNREFUSED. security.txt 404/403. Own pages: only phish@metlife.com (phishing). Prior 'none' confirmed.”

“please let us know by emailing our Information Protection & Security team directly at Information.Protection@hcahealthcare.com | We ask that you work with us to diagnose and correct a vulnerability prior to publically disclosing it to ensure the safety and wellbeing of our patients and systems | We ask that you not perform vulnerability or similar testing on products that are actively in use for public safety reasons | In the event you share information with us, you agree that the information you submit will be considered non-proprietary and non-confidential, and that we may use such information in any manner, without restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for us.”

“Own VDP page. Testing authorized + CFAA: 'Lockheed Martin considers security research and vulnerability disclosure activities conducted consistent with this policy to be "authorized" conduct under the Computer Fraud and Abuse Act and other applicable computer use laws.' Non-pursuit: 'will not pursue civil or criminal action... for accidental or good faith violations of this policy'. CVD timeline: 'Keep information about any vulnerabilities... confidential between yourself and Lockheed Martin until we have had minimum 120 days to verify and resolve the issue.' L4 signals + published 120-day timeline → L5. Prior L1 was a major miss (HackerOne entry was only a community stub).”

“No external channel. security.txt 404 live + Wayback (Jun 2023–Nov 2024). HackerOne 4 slugs 404; /nyl is a generic non-NYL handle. Bugcrowd 4 variants 404. Synack ECONNREFUSED. Own Information Security page describes internal defensive program only, no report mechanism. Prior 'none' confirmed.”

“By responsibly submitting your findings to Capital One in accordance with these guidelines Capital One agrees not to pursue legal action against you. | Capital One reserves all legal rights in the event of noncompliance with these guidelines. | Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity. | Provide Capital One reasonable time to fix any reported issue. | Out of Scope Vulnerabilities Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program.”

“Allstate Identity Protection (Allstate-owned, formerly InfoArmor) security page: 'Report any potential security bug or vulnerability to SecurityDisclosure@infoarmor.com'. No scope, no testing authorization, no safe harbor, no timeline → contact-only L1. Main allstate.com has no PSIRT; security.txt times out; HackerOne empty stub; Bugcrowd 404; Synack ECONNREFUSED. Prior L1 confirmed (subsidiary channel).”

“HackerOne hackerone.com/caterpillar (submission_state=open). disclose.io GOLD-STANDARD safe harbor verbatim: 'We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service (TOS) and/or Acceptable Use Policies (AUP)... Will not bring legal action against you... including for bypassing technological measures we use to protect the applications in scope' (= testing authorized + CFAA + ToS/AUP + DMCA 1201). No published CVD deadline → L4. security.txt does NOT resolve at either path (403 Akamai) → securityTxt false.”

“Contact: https://www.ibm.com/trust/security-psirt | Contact: https://hackerone.com/ibm?type=team | Contact: mailto:psirt@us.ibm.com | PSIRT manages Product, Website, Secrets / Tokens Vulnerabilities”

“Product Cybersecurity Coordinated Vulnerability Disclosure Policy. Safe harbor: 'If you comply with this Policy... we will consider your research to be authorized, and not recommend or pursue legal action' + third-party authorization defense. Scope = product cybersecurity (medical devices, SaMD). No statutory carve-outs; timeframes at Lilly's discretion.”

“Real PUBLIC HackerOne VDP under slug 'msd' (Merck Sharp & Dohme), not 'merck' (404). GraphQL submission_state=open, public_mode, scopes *.merck.com + *.msd.com. Own page merck.com/responsible-vulnerability-disclosure-program/ directs to hackerone.com/msd. Safe harbor + explicit authorization: 'Any activities conducted in a manner the Company deems consistent with this policy will be considered authorized conduct and we will not initiate legal action against you...'. No CFAA/DMCA/ToS carve-out, no deadline → L3. Prior directory-L2 was wrong handle.”

“vulnerabilitydisclosure@nationwide.co.uk | You must not: Break any applicable law or regulations. Access unnecessary, excessive or significant amounts of data. Modify data in Nationwide's systems or services. | Submissions we won't respond to: Vulnerabilities relating to systems, websites or apps which are not owned or controlled by us. | We do not offer financial compensation or any other form of reward for submissions. | By emailing or providing a disclosure to us, you agree to our terms. | We will review all submissions that meet the requirements listed on this page.”

“Product Security Center with per-product-line PSIRT email reporting. Symantec PSIRT symantec.psirt@broadcom.com ('confirm receipt within three business days', ISO 29147); VMware PSIRT vmware.psirt@broadcom.com. Real VDP with submission method/process, no legal safe-harbor commitment. (hackerone.com/broadcom is a directory stub.)”

“security.txt at delta.com/security.txt (ROOT path, not /.well-known/ which 404s) → Contact: ResponsibleDisclosure@Delta.com, Policy: VDP guidelines page. NO safe harbor — 'Delta reserves all legal rights in the event of your noncompliance... to pursue legal action'; requires compliance with Delta's Terms of Use. 5-business-day ack.”

“No researcher channel. security.txt 404 both paths/hosts. HackerOne 'Team does not exist'. Bugcrowd /engagements/publix 404. Synack no DNS. corporate.publix.com is a SPA catch-all (every path incl. nonsense returns same 200 body, no VDP). Prior 'none' confirmed.”

“Real PUBLIC HackerOne VDP (GraphQL submission_state=open, public_mode). Promissory safe harbor: 'Pfizer will not initiate legal action against you for any security research activities... conducted in a manner consistent with this policy.' But testing NOT authorized: 'this policy does not... authorize or encourage any actions...' + 'Do not perform automated scanning or testing.' No CFAA/DMCA/ToS carve-out, no deadline → L3. Prior L1 undercounted.”

“No researcher channel. security.txt 404. HackerOne tdsynnex NOT_FOUND; legacy techdata/synnex are UNCLAIMED community stubs (GraphQL state=null, 'community-curated security page documents any known process...'). Bugcrowd engagements x3 404. Synack no DNS. Own /security + /responsible-disclosure 404. Prior 'none' confirmed.”

“No researcher channel. /.well-known/security.txt 404; /security.txt returns 200 but is the SPA HTML shell (not a real file). HackerOne 'conocophillips' is an UNCLAIMED community stub (GraphQL state=null). Bugcrowd 404. Synack no DNS. Own security page describes internal IT/OT program only (no external report path). Prior 'none' confirmed.”

“security.txt at ROOT /security.txt (200): 'Contact: mailto:security@galaxy.com / Expires: 2025-09-30' (expired but still served). NOT at /.well-known/ (404). No Policy line, no scope, no safe harbor. No dedicated security/disclosure page; no HackerOne/Bugcrowd/Synack. Bare contact → L1 confirmed.”

“Coordinated Vulnerability Disclosure portal at cvd.abbvie.com (web form). SCOPE LIMITED to AbbVie Medical Devices / SaMD, NOT the corporate abbvie.com web property. No safe harbor; submissions deemed non-confidential. 5-business-day ack. (hackerone.com/abbvie is private/invite-only.)”

“LIVE HackerOne VDP (GraphQL: state=public_mode, submission=open, scope *.prudential.com). Safe Harbor: 'Any activities conducted in a manner consistent with this Policy and within the Policy's scope will be considered authorized conduct by Prudential, including under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c).' 'reasonable amount of time to resolve' but no numeric deadline → L4. Prior 'none' was WRONG.”

“security.txt exists (live WAF-blocked 403; via Wayback raw): 'Contact: mailto:soc-sectxt@tjx.com / Expires: 2026-04-16'. Contact only — no scope, no policy, no safe harbor. hackerone.com/tjx is an empty community-curated stub (GraphQL state=null). L1 confirmed.”

“No public reporting channel. security.txt 404 both paths. No HackerOne team (GraphQL NOT_FOUND). No Bugcrowd (404). No Synack. Only IR contact + generic ToU 'notify of any breach' clause. Prior 'none' confirmed.”

“security.txt at /.well-known/ HTTP 200: 'Contact: https://bugcrowd.com/united-vdp / Contact: mailto:bugbounty@united.com / Policy: https://www.united.com/ual/en/us/fly/contact/vdppolicy.html'. Public Bugcrowd VDP (first airline VDP) under Bugcrowd standard disclosure terms (safe harbor for in-scope good-faith research). Triple statutory carve-out could not be confirmed (united.com policy page WAF-blocked) → L3, medium confidence.”

“Oracle PSIRT reporting (WAF-blocked; via Wayback): 'If you are not a customer or partner, please email secalert_us@oracle.com.' Disclosure policy restrictive: 'Oracle does not distribute exploit code... for vulnerabilities in our products.' No testing authorization, no safe harbor, no carve-out → contact/PSIRT-email only = L1. hackerone.com/oracle stub; bugcrowd.com/oracle is /h/ private portal (control-tested). Prior L1 confirmed.”

“The Cisco PSIRT is a dedicated, global team that receives, investigates, and publicly reports information about security vulnerabilities and issues related to Cisco products and services. | Cisco welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security. | Throughout the investigative process, the Cisco PSIRT strives to work collaboratively with the incident reporter to assess the nature of the vulnerability, gather required technical information, and determine appropriate remedial action. | The Cisco PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the Cisco PSIRT on the Cisco website through the appropriate coordinated disclosure. | The Cisco PSIRT aligns its practices with ISO/IEC 29147:2018, which are guidelines for disclosure of potential vulnerabilities established by the International Organization for Standardization.”

“HP PSRT report page (enable.hp.com/potentialsecurityvulnerability-report) — live web form, product-scoped dropdown, 'HP will acknowledge receipt of the submission within two business days and begin investigating.' No legal/safe-harbor language → real VDP, L2. HP's Bugcrowd bounty is PRIVATE/invite-only (/h/hp). Prior L1 upgraded to L2.”

“No verified public channel across corporate.charter.com, charter.com, spectrum.com. hackerone.com/chartercom is an empty community-curated stub (GraphQL state=null, no scopes). No security.txt anywhere. bugcrowd.com/spectrum is /h/ catch-all (control-tested). Prior 'none' confirmed.”

“Managed HackerOne VDP (no bounty). Scope *.aa.com + regional carriers. Safe harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party... we will take steps to make it known that your actions were conducted in compliance with this policy.' Authorizes testing + no legal action (L4). No statutory carve-outs named, no CVD deadline. Verified via real-Chrome render.”

“No channel on any surface. security.txt 404 (apex+www both paths). Only security-adjacent page is financial/ethics disclosures. HackerOne /tyson + /tysonfoods no real program. Bugcrowd 404. Synack refused. UpGuard scan confirms no security.txt/VDP. Prior 'none' confirmed.”

“security.txt at /.well-known/ + root (Canonical https://www.intel.com/security.txt; Policy -> vulnerability-handling-guidelines.html). PSIRT secure@intel.com + Intel Bug Bounty via Intigriti. Safe harbor in bug-bounty terms: 'Intel will not initiate a lawsuit or law enforcement investigation against you in response to your report.' No explicit CFAA/DMCA/ToS carve-out → L3.”

“No channel. Footer/nav have no security/disclosure link; Contact Us is operational/investor only. security.txt 404 both paths. HackerOne enterpriseproducts + enterprise-products 404 (no stub). Bugcrowd 404. Synack refused. Prior 'none' confirmed.”

“No channel. hackerone.com/ingrammicroinc is an empty community stub (real-Chrome: 'There are no known guidelines...' + 'not affiliated', no submit). Bugcrowd 404. Synack NXDOMAIN. No security.txt (WAF). Trust Centre FAQ directs to general support form, no security scope. Prior 'none' confirmed.”

“No VDP at gd.com. security.txt 301→404. Homepage/contact/sitemap no security refs. HackerOne 'generaldynamicssharedr' is empty stub (GraphQL all-null); generaldynamics/general-dynamics/gdit team does not exist. Bugcrowd 404. Synack DNS-fail. Business units publish only DFARS supplier incident reporting (not a researcher VDP). Prior 'none' confirmed.”

“Real HackerOne bug bounty. Safe harbor (promissory): 'If you have made a good faith effort to abide by these Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Bug Bounty Program.' But NO testing authorization ('Actions taken beyond this are not authorized'), NO CFAA/DMCA in the 29k-char rendered policy, and policy REQUIRES ToS compliance (no exemption), no disclosure deadline → L3 (HackerOne's platform Gold-Standard language NOT adopted into Uber's text). Prior L1 undercounted; not over-called to L4.”

“Contact: https://bugcrowd.com/engagements/usaa | Contact: mailto:disclosure@usaa.com | Policy: https://bugcrowd.com/usaa”

“TIAA security-center page → HackerOne embedded form rendering the full 'TIAA Vulnerability Disclosure Policy'. Safe harbor: 'we consider this research conducted under this policy to be: Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you...; Authorized concerning any relevant anti-circumvention laws...; Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP)... and we waive those restrictions on a limited basis.' Scope (*.tiaa.org, *.tiaa-cref.org, *.nuveen.com). No published public-disclosure deadline → L4. Prior 'none' was a major miss.”

“No researcher channel. HackerOne (liberty_mutual/libertymutual/liberty-mutual all 404). Bugcrowd 404. Synack NXDOMAIN. security.txt 404 (libertymutual.com) / Akamai 403 with no archived file (libertymutualgroup.com). Only 'Security Policy' page is customer-data protection, no researcher reporting. Prior 'none' confirmed.”

“Synack commits that, if we conclude, in our sole discretion, that a security vulnerability submitted through our Site complies with the Terms of Use, the applicable Scope and Rules of Engagement and the applicable Responsible Disclosure Guidelines, Synack will not bring a private action against you or refer the matter for public inquiry. | The following web applications are in scope: *.travelers.com | If you submit a valid vulnerability, you will be notified after a fix has been issued, and you will have the opportunity to be added to the Acknowledgments page and to disclose the vulnerability. | Adhere to these Guidelines and the Rules of Engagement and Scope, and do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of Travelers' information and systems.”

“No channel. HackerOne GraphQL 'bms' = Team does not exist (the 200 is an SPA shell); 3 other slugs 404. Bugcrowd 404. Synack NXDOMAIN. security.txt 404 (the Wayback 200 is an Incapsula WAF challenge page, not a real file). Only privacy (dpo@bms.com) + compliance Integrity Line. Prior 'none' confirmed.”

“Safe harbour for researchers is applied | with the exception of what is listed as explicitly out-of-scope you are welcome and encouraged to submit impactful findings on any asset you can attribute to The Coca-Cola Company or our brands! | Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)”

“Real first-party VDP (full text read from __NEXT_DATA__). Scope + submission form (nike.com/help/disclosure) + prohibited-methods list. Not a bounty. CVD timeline present: 'We're committed to patching in-scope vulnerabilities in 90 days or less' + 90-day confidentiality. Safe harbor only soft ('open dialogue... without fear of reprisal') — NO explicit non-pursuit, NO testing authorization, NO CFAA/DMCA/ToS carve-out → L2. (hackerone.com/nike is an empty unclaimed stub, does not count.) Prior L2 confirmed.”

“Self-hosted Responsible Disclosure Policy; report via responsible.disclosure@massmutual.com. Structured RDP rules + scope, but NO safe harbor and explicitly hostile: 'MassMutual expressly reserves all rights afforded to it, by law or in equity.' Prohibits public disclosure without consent.”

“First-party responsible-disclosure policy (bhp.com/responsible-disclosure). Scope + submit to cybersecurity@bhp.com, but RESTRICTS testing: 'Do not attempt to exploit any potential vulnerabilities'; 'use of scanners or automated tools' prohibited; 'BHP does not provide any form of compensation'. No safe harbor, no authorization, no carve-out, no deadline → L2. HackerOne bhp NOT_FOUND/bare; Bugcrowd 404; no valid security.txt.”

“Self-authored VDP (scope + email submit to vulnerability@cba.com.au + prohibited activities). Explicit no-safe-harbor: 'CommBank does not waive any rights or claims with respect to such activities.' No non-pursuit, no authorization, no carve-out, no timeline → L2. Real text/plain security.txt at /.well-known/ (Contact: vulnerability@cba.com.au). HackerOne commonwealthbank null stub.”

“Public Bugcrowd VDP (visibility_public, open, 37 vulns, Safe-harbor status 'full'). Brief Safe Harbor verbatim: 'Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy; Exempt from the Digital Millennium Copyright Act (DMCA)... circumvention of technology controls; Exempt from restrictions in our Terms & Conditions... we waive those restrictions on a limited basis.' Explicit testing authorization + all three carve-outs → L4. No numeric disclosure deadline → not L5. (Confirmed by two independent reads; the first under-graded L2 when the brief legalese was gated.)”

“Bugcrowd VDP (nationalaustraliabankog), real-Chrome confirmed safe-harbor tier = 'Partial safe harbor' (Bugcrowd partial = a limited goodwill non-pursuit commitment). Promissory non-pursuit, testing NOT explicitly authorized, no statutory carve-out, no disclosure deadline -> L3 (consistent with Telstra/ANZ partial-tier programs). HackerOne nab null stub.”

“Bugcrowd VDP (anz-vdp), real-Chrome confirmed safe-harbor tier = 'Partial safe harbor' (limited goodwill non-pursuit commitment). Promissory non-pursuit, testing NOT explicitly authorized, no statutory carve-out, no deadline -> L3 (consistent with Telstra/NAB partial-tier programs).”

“No researcher channel on the parent domain. /security-privacy is privacy-only; FY22 cyber page is internal practices only. security.txt both paths + www → HTML 404 (no Contact:). HackerOne wesfarmers null stub. Bugcrowd /engagements/wesfarmers 404. Subsidiaries (Bunnings/Kmart) excluded per parent scope → L0.”

“Real-Chrome (Interceptor) read of the Bugcrowd brief — full disclose.io safe harbor, verbatim: 'Safe Harbor: When conducting vulnerability research according to this policy, we consider this research to be: Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)... we will not initiate or support legal action...; Exempt from the Digital Millennium Copyright Act (DMCA)... circumvention of technology controls; Exempt from restrictions in our Terms & Conditions... we waive those restrictions on a limited basis.' Testing authorized + 3 carve-outs (CFAA/DMCA/ToS) -> L4. 'Does not allow disclosure' -> no L5. (Earlier WebFetch could not render this JS/auth-gated brief; confirmed live in real Chrome 2026-06-21.)”

“No channel. Governance/ethics page has only a general Integrity Helpline (not a VDP). HackerOne newmont empty shell. Bugcrowd /engagements/newmont 404. security.txt → 'Invalid key' WAF string (no Contact:) / 404. → L0.”

“No channel. HackerOne GraphQL goodman/goodmangroup NOT_FOUND. Bugcrowd /engagements/{goodman,...} 404 (bare /goodman = /h/ catch-all only). security.txt 403 WAF JS-challenge / Next.js 404; Wayback never archived. No VDP/PSIRT page. → L0.”

“hackerone.com/riotinto is an UNCLAIMED community/external directory stub, NOT a real program: GraphQL submission_state:null/policy:null, and the real-Chrome page renders verbatim 'There are no known guidelines for reporting potential security vulnerabilities' (HackerOne's text for an unconfigured directory listing). No own-site security.txt or policy either. No real researcher channel -> L0. (Confirmed real Chrome 2026-06-21.)”

“No researcher channel. security.txt 404 (fortescue.com + www; fmgl.com.au redirects to 404). HackerOne fortescue 404. Bugcrowd /engagements/fortescue(-metals) 404. Only reporting path is the 'Speak Up' EthicsPoint whistleblower hotline (scoped to misconduct, not security) → does not qualify. → L0.”

“Real active Bugcrowd VDP (brief changelog 2025-10-09). Authorizes scoped testing: 'Testing is only authorised on the targets listed as in scope.' safeHarborStatus={status:'partial', 'limited goodwill statement about not pursuing legal action'} — promissory non-pursuit present but limited, NO statute-specific carve-out (no Criminal Code/anti-circumvention/ToS), no disclosure deadline (disclosure prohibited) → L3. HackerOne telstra null stub. No valid security.txt. Telstra's own hub links to the Bugcrowd engagement.”

“No channel for CSL Limited (biotech, csl.com). security.txt 404 (apex+www). /disclosures is legal/financial; data-protection page is internal gov only. TRAP: hackerone.com/csl + csl-group.com VDP belong to a DIFFERENT company (CSL Group M2M/IoT), excluded. -> L0.”

“No channel. security.txt 404 (all paths). hackerone.com/woodsideenergy is an UNCLAIMED external directory stub (is_external_program:true, policy:null, claimed:false; GraphQL submission_state:null) -> does not count. Bugcrowd /engagements/woodside(-energy) 404. -> L0.”

“No channel. security.txt absent (HTML homepage / 404 at all paths; Wayback empty). hackerone.com/transurban 404. Bugcrowd /engagements/transurban + bare 404. /privacy lists only privacy + tolling emails. -> L0.”

“Company page: 'email vulnerabilitydisclosure@woolworths.com.au' — contact only, no policy/scope. Testing NOT authorized: 'does not condone... testing activities that violate laws and regulations.' No safe harbor. HackerOne woolworthslimited exists but empty policy/scope (not confirmable open). No security.txt. -> L1.”

“Company Responsible Disclosure Program. Non-pursuit: 'we will not take legal action against security researchers acting in good faith... provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program.' Submit to security@qbe.com. Testing NOT affirmatively authorized (only services 'to which you have authorised access'); no carve-out, no deadline -> L3. (read via Wayback raw + regional mirrors). HackerOne qbe empty stub.”

“No channel. security.txt redirects to HTML 404 (aristocrat.com + aristocratgaming.com 200-but-HTML). HackerOne GraphQL NOT_FOUND for 6 slug variants (the /aristocrat 200 is SPA shell). Bugcrowd /engagements/ 404 x4 (bare -> /h/ catch-all). Only Privacy/Disclosure/Whistleblower policies. -> L0.”

“Real-Chrome read of the Bugcrowd brief (coles-vdp-pro) — full disclose.io safe harbor renders verbatim: 'Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)... we will not initiate or support legal action...; Exempt from the Digital Millennium Copyright Act (DMCA)...; Exempt from restrictions in our Terms & Conditions... we waive those restrictions.' Testing authorized + 3 carve-outs -> L4 (the full-safe-harbor text renders only for full-tier engagements; verified program-specific, not boilerplate). 'Does not allow disclosure' -> no L5. (Earlier WebFetch/Wayback could not render the full section; confirmed in real Chrome 2026-06-21.)”

“No channel. No security/disclosure page; contact-us has only general emails. HackerOne 3 slugs empty/404. Bugcrowd /engagements/ 404. security.txt 404 (apex+www). -> L0.”

“No channel (brambles.com + chep.com). Only a 'Speak Up' ethics hotline + privacy breach notice. TRAP: brmbl.io 'Bramble' VDP is a DIFFERENT company (GitLab fork), excluded. HackerOne /brambles 404, /chep empty. Bugcrowd 404. security.txt 404 both domains. -> L0.”

“No channel. Contact page has only office phones, registry, whistleblower line. security.txt 404 both paths. HackerOne 2 slugs 404. Bugcrowd 3 slugs 404. -> L0.”

“No channel. security.txt clean 404 x3. HackerOne /amcor 404. Bugcrowd /engagements/amcor + bare 404. Governance page lists 26 policies, none a VDP. -> L0.”

“Valid text/plain security.txt → Bugcrowd santos-vdp (open). Authored safe harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate and legal action against you...' + 'Testing is only authorized on the targets listed as in scope.' No named statutory carve-out, no DMCA/ToS, no deadline -> L3. HackerOne santos empty placeholder.”

“No channel. security.txt 404 (apex+www, no Wayback capture). HackerOne /computershare 404. Bugcrowd /engagements/computershare + bare 404. Site describes internal/contracted pentesting only; the one security email is for account fraud. → L0.”

“Company-authored VDP (scope + email submit to vulnerability@suncorp.com.au). No safe harbor — prohibits automated tools and reserves rights: 'Suncorp reserves the right to act against individuals engaged in any of the activities listed above.' No carve-out, no timeline → L2. No security.txt; no HackerOne/Bugcrowd. (VDP on customer site suncorp.com.au, not corporate.)”

“HackerOne 'scentregroup' exists in directory but is NOT public/open: GraphQL submission_state:null/state:null/policy:null (control: a public program returns submission_state:'open'). All Wayback snapshots show only directory boilerplate, no authored policy. No public gradeable policy → null/L0. Bugcrowd 404; security.txt 404.”

“No channel. pilbaraminerals.com.au 301→pls.com. No security/responsible-disclosure page; governance lists 25 policies, none for vuln disclosure. Only security-adjacent contact is a privacy officer. security.txt 404 (both domains). HackerOne/Bugcrowd 404. → L0.”

“Only authored artifact was a security.txt (contact cybersecurity@iag.com.au, 'No paid bounties currently offered') — contact only, no scope/policy. BUT it EXPIRED 1 Jan 2025 and now 404s (live Akamai 403; Wayback 404 since 2025-05). HackerOne /iag is a reserved null stub. → L1 (on the historical contact; arguably 'removed' now). confidence medium (archived, not live).”

“Valid text/plain security.txt → Bugcrowd engagement originenergy-og1 (active, changelog 2026-03-30) + digitalsecurity@originenergy.com.au. Brief Safe Harbor verbatim: 'we consider this research to be: Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)... we will not initiate or support legal action...; Exempt from the Digital Millennium Copyright Act (DMCA)...; Exempt from restrictions in our Terms & Conditions... we waive those restrictions on a limited basis.' Testing authorized + 3 carve-outs → L4. No disclosure deadline → not L5. (Carve-out cites US CFAA/DMCA — Bugcrowd boilerplate — mapped to cfaaCarveout per instruction; page may footnote US-law references.)”

“No channel. HackerOne GraphQL NOT_FOUND (south32, south-32). Bugcrowd /engagements/south32 404. security.txt 404/empty (south32.net + south32.com); Wayback 0 snapshots. -> L0.”

“REA security page → public Bugcrowd bug bounty (rea-mbb-og, live, changelog 2026-06-01). Authored non-pursuit: 'Not pursue legal action related to your discovery and reporting of the vulnerability (in relation to any non-compliance... we reserve all of our legal rights).' Published timeline: confidentiality 'no less than 90 days'. NO explicit testing authorization, NO named statutory carve-out -> L3 (L5 needs L4 first). Carve-outs graded from REA's authored text only.”

“No channel. security.txt 404 HTML both paths. HackerOne GraphQL NOT_FOUND (6 slugs). Bugcrowd /engagements/ 404 x2. /contact has only IR/media/general; whistleblower only. -> L0.”

“No channel. security.txt 404 HTML across promed.com.au/promedicus.com/visage(imaging).com. HackerOne GraphQL NOT_FOUND (promedicus, pro-medicus, visage). Bugcrowd /engagements/ 404 x3. Privacy only. -> L0.”

“No channel. security.txt 404 HTML both paths; Wayback none. HackerOne GraphQL NOT_FOUND (4 slugs). Bugcrowd /engagements/ 404 x2. Contact/privacy only; subsidiaries (WesTrac/Coates/Boral/SWM) don't cover parent. -> L0.”

“No channel. security.txt 404 HTML both paths; Wayback 404 since 2024. HackerOne GraphQL NOT_FOUND (soulpatts, whsp, soulpattinson). Bugcrowd /engagements/ 404 x4. /privacy only (also checked new name WHSP Holdings). -> L0.”

“No channel. security.txt 404 HTML (jameshardie.com + .com.au, both paths). HackerOne 3 slugs 404. Bugcrowd /engagements/ 404 x2. Only ASX/SEC disclosure policy + ethics hotline. -> L0.”

“Valid text/plain security.txt (both paths) → open Bugcrowd VDP (qantas-vdp-ess, In progress since Nov 2025). Qantas-authored security.txt grants NO authorization — lists ONLY prohibitions: 'The following activities are strictly prohibited and are not authorised by Qantas Group under any circumstances...'. Only safe-harbor framing is Bugcrowd boilerplate (not credited). '21 days validation' is an SLA, not a deadline. HackerOne /qantas unaffiliated stub. -> L2.”

“No channel. security.txt 404 (bluescope.com HTML; bluescopesteel.com.au plain 404). HackerOne 4 slugs 404. Bugcrowd /engagements/ 404 x4. Only privacy + ethics emails. -> L0.”

“No channel. security.txt 404 Next.js HTML (4 URLs). HackerOne minres/mineralresources absent (bounty-targets-data 457 handles, no match). Bugcrowd 404 x2. Only 'MinRes Integrity Assist' whistleblower. -> L0.”

“No channel. security.txt 404 both paths; sitemap has no security URLs. HackerOne 'apa' = American Psychological Association (different co); 'apagroup' 404. Bugcrowd 404 x2. Only whistleblower hotline. -> L0.”

“No researcher channel (despite the 2022 mega-breach). security.txt 301→unreachable internal AEM host (text/html, no Contact); root 404. /security/ + /cybersecurity 404. HackerOne 2 slugs 404. Bugcrowd 404 x3. Own guidance points public to ScamWatch/ACSC (consumer fraud, not researcher VDP). -> L0.”

“Valid PGP-signed text/plain security.txt: 'Contact: mailto:csirt@wisetechglobal.com' + Expires 2026-11-27. No Policy field, no scope, no safe harbor. /information-security/ page has no reporting channel. Contact-only → L1.”

“Xero's OWN authored VDP policy: research 'authorized in accordance with the Computer Fraud and Abuse Act (CFAA)... we will not initiate or support legal action...'; 'exempt from the Digital Millennium Copyright Act (DMCA)...'; 'exempt from restrictions in our terms of use... we waive those restrictions on a limited basis.' Authorization + all 3 carve-outs → L4. No disclosure deadline → not L5. Submissions via Bugcrowd xero-vdp-pro (open).”

“Authored Responsible Disclosure Statement. Non-pursuit: 'Not pursue legal action related to your discovery and reporting of the vulnerability...'. Testing NOT authorized: 'does not give you permission to breach any laws...'. 90-day confidentiality timeline. No carve-out → L3 (L5 needs L4). Valid PGP security.txt.”

“No channel. No VDP page (privacy+T&C only). HackerOne GraphQL NOT_FOUND (3 slugs). Bugcrowd 404. security.txt redirect-loop / CF 403 (no real text/plain file); Wayback none. -> L0.”

“No channel. HackerOne GraphQL NOT_FOUND (4 slugs). Bugcrowd 404. security.txt → site HTML 404 both paths; Wayback none. Only Continuous Disclosure (financial) + privacy. -> L0.”

“No channel. HackerOne GraphQL NOT_FOUND (3 slugs). Bugcrowd 404 x3. security.txt 404 HTML both paths (apex+www); Wayback none. Privacy + contact only. -> L0.”

“No channel. security.txt 404 both paths. Security pages cover only physical/ISO/SOC/PCI compliance. HackerOne /nextdc 404. Bugcrowd 404. -> L0.”

“No channel. security.txt = Cloudflare JS challenge (403, no text/plain); Wayback none. HackerOne /orica bare page, absent from datasets. Bugcrowd 404. Only privacy/governance/whistleblower. -> L0.”

“carsales (CAR Group) own Responsible Disclosure page: scope + 'send an email to security@carsales.com.au'. No safe harbor — reserves legal rights: 'we will put the handbrake on, cease your participation... and reserve all our legal rights.' Prohibits ToS breach (not waive), no testing auth, no carve-out, no timeline -> L2. HackerOne carsales = null stub (does not count).”

“HackerOne lists a 'Stockland | VDP' title but GraphQL team(handle:stockland) returns submission_state:null/policy:null — a null stub that does NOT count (bare client-rendered shell). No own-site page; Bugcrowd 404; security.txt 403 WAF, no Wayback. No confirmed readable channel -> L0.”

“Only security page is scam/phishing reporting (hoax@asx.com.au) — fraud infrastructure, not a researcher channel. No VDP/scope/safe harbor. HackerOne GraphQL 'Team does not exist'. Bugcrowd 404 x3. security.txt HTML 404, no Wayback. -> L0.”

“Company-authored VDP (group + subsidiaries): 'To report a vulnerability, please fill out the below form.' Scope + submission + a coordination/5-day clause, but NO testing authorization and NO non-pursuit/CFAA/DMCA/ToS carve-out -> L2. Has a security.txt + a parallel Bugcrowd sonic-vdp-pro engagement.”

“'Security and privacy incident reporting': 'Email privacy@technologyonecorp.com or security@technology1.com to notify TechnologyOne of a privacy or security breach.' Customer breach channel only — no researcher VDP, no scope, no safe harbor -> L1. HackerOne NOT_FOUND; Bugcrowd 404; no security.txt.”

“No channel. HackerOne 'thegptgroup' is a null stub (GraphQL submission_state:null) — does not count; other slugs NOT_FOUND. Privacy only; security.txt 404 both paths; Bugcrowd 404 x3. -> L0.”

“No channel. security.txt 404 (greatland.com.au + greatlandgold.com). HackerOne NOT_FOUND (3 slugs). Bugcrowd 404 x3. Privacy only. -> L0.”

“No channel. Only /security page is ISO/NHS data-protection posture (no reporting). security.txt 404 across .com/.com.au/.co.uk. HackerOne NOT_FOUND. Bugcrowd 404. Only privacy officer email. -> L0.”

“No channel. security.txt clean 404. No security page; privacy only. HackerOne qube + qubeholdings NOT_FOUND (no stub). Bugcrowd 404 x3. (security@qube-rt.com is unrelated Qube Research & Technologies.) -> L0.”

“No channel. security.txt 404 (Shopify HTML / size-0). No VDP page. HackerOne NOT_FOUND. Bugcrowd 404 x3. The Good Guys (subsidiary) also none. -> L0.”

“Ampol's own Safe Harbour prose: 'we consider this research conducted under this policy to be: Authorised in view of any applicable anti-hacking law; Authorised in view of relevant anti-circumvention laws...'. Submit via embedded HackerOne form. testingAuthorized + anti-hacking (CFAA-equiv) + anti-circumvention (DMCA-equiv) = L4. No ToS waiver, no deadline. Confirmed by adversarial double-read.”

“Medical-device maker but no researcher VDP. security.txt 404 (3 paths). HackerOne GraphQL NOT_FOUND (3 slugs). Bugcrowd 404. Data Privacy page routes to customer service. -> L0.”

“Valid security.txt (200 text/plain): 'Contact: mailto:vulnerability@tpgtelecom.com.au / Expires: 2027-01-01'. Contact only, no policy → L1. HackerOne tpg_telecom unclaimed stub (does not count).”

“No channel. HackerOne NOT_FOUND (2 slugs). Bugcrowd 404. security.txt 307→SPA HTML; /security + /responsible-disclosure SPA soft-404s. -> L0.”

“No channel. HackerOne NOT_FOUND (2 slugs). Bugcrowd 404. security.txt 404 (no Wayback). 25+ governance policies, none security. -> L0.”

“No channel. hackerone.com/aurizon empty stub (submission_state:null, does not count). Bugcrowd 404 x2. security.txt 404 (aurizon.com.au); aurizon.com is a parked lander. -> L0.”

“No channel. security.txt 404 both paths (genuine). HackerOne /mirvac JS stub (no open program). Bugcrowd 404. Only privacy@mirvac.com. -> L0.”

“No channel. security.txt 404 HTML both paths; Wayback none. HackerOne 2 slugs 404. Bugcrowd 404 x2. Governance has no security terms. -> L0.”

“No live channel. A contact-only security.txt (cyberteam@challenger.com.au) existed 2023→late-2024 but is REMOVED (live 404 HTML; Wayback 404 since 2025-05). No disclosure page (consumer scam tips only). HackerOne /challenger no program. Bugcrowd 404. -> L0.”

“No channel. security.txt genuine 404 both paths; Wayback none. HackerOne 3 slugs 404. Bugcrowd 404 x3. Contact page has no security contact. -> L0.”

“No verifiable channel. ENTIRE domain returns 403 to all clients incl. real Chrome (hard geo/IP block) — on-site page can't be read but no independently verifiable channel exists. security.txt 403 HTML (no Wayback). HackerOne 4 slugs 404. Bugcrowd 404 x2. -> L0.”

“No channel. security.txt 404 (apex+www, both paths). HackerOne /dexus empty stub. Bugcrowd 404 x2. Privacy has only an internal breach plan, no reporting mechanism. -> L0.”

“No channel. security.txt 404 both paths (no Wayback). HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404 x2. /security + /responsible-disclosure 404. Privacy only. -> L0.”

“No channel. security.txt 404 (no Wayback). HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404 x2. Only an internal Information Security Policy (governance, not researcher VDP). -> L0.”

“Real published VDP: scope ('independent security researchers for any internet facing systems or SaaS') + submit to security@edg.com.au. NO safe harbor — reserves rights: 'In the event that a security vulnerability is not reported in accordance with this policy, we reserve all of our legal rights.' No testing auth, no carve-out, no deadline -> L2.”

“No channel. security.txt 404. HackerOne GraphQL NOT_FOUND. Bugcrowd 404. /security 200 but is homepage shell (no disclosure content); /responsible-disclosure 404. -> L0.”

“No channel. security.txt 404 (no Wayback). HackerOne GraphQL NOT_FOUND. Bugcrowd 404. /security + /responsible-disclosure + /vulnerability-disclosure-policy all 200 but are Incapsula WAF challenge shells (byte-identical to a nonsense control) — not real pages. -> L0.”

“No channel. security.txt 404. HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404. /security + /responsible-disclosure 404. Only internal info-security policy. -> L0.”

“Open Bugcrowd VDP (in_progress, open, safeHarborStatus 'declined'). Own page → Bugcrowd; 'does not compensate'. Only legal sentence is boilerplate ('comply... with the BugCrowd Standard Disclosure Terms') — no authored safe harbor/authorization/carve-out -> L2. HackerOne bendigobank empty stub (does not count).”

“Real responsible-disclosure policy (scope + security@agl.com.au). Narrow conditional auth only: 'We allow you to conduct vulnerability research and testing only on our services... to which you have authorised access.' Anti-protective: 'AGL does not condone any malicious or illegal behaviour...'. 72h ack SLA (not deadline). No safe harbor/carve-out -> L2. HackerOne aglenergy empty stub.”

“No channel. security.txt HTML 404 both paths + Wayback. HackerOne NOT_FOUND (2 slugs). Bugcrowd 404 x3. Only a privacy breach clause. -> L0.”

“No channel. security.txt 404 (apex+www; Wayback 404 since 2023). HackerOne NOT_FOUND (4 slugs). Bugcrowd none. Policies index (23 policies) has no security/VDP. -> L0.”

“No channel. security.txt HTML 404 both paths + Wayback. HackerOne NOT_FOUND (3 slugs). Bugcrowd 404 x3. No disclosure page. -> L0.”

“No channel. security.txt 404 (apex 301→www→404; no Wayback). HackerOne NOT_FOUND (3 slugs). Bugcrowd none. Only legal/privacy/governance + a 2026 ransomware writeup. -> L0.”

“No channel. HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404 x2. security.txt 404 both paths. Only privacy@telixpharma.com (privacy). -> L0.”

“Open public Bugcrowd bug-bounty (engagement in_progress, pay_for_success). SEEK page links it. Brief has scope+submit+rewards but NO safe harbor/non-pursuit/authorization/carve-out — in fact restrictive ('Customer instances are not to be accessed... will be considered a breach of our Terms and Conditions') -> L2. HackerOne NOT_FOUND.”

“No channel. HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404. security.txt 404 both paths. Only ESG mentions of internal controls. -> L0.”

“No channel. security.txt 404 both paths. HackerOne GraphQL NOT_FOUND. Bugcrowd 404 x2. Only privacy@metcash.com (privacy). -> L0.”

“No channel. security.txt 404 (thea2milkcompany.com); US sub a2milk.com/security.txt 200 but empty HTML SPA shell (no Contact, rejected). HackerOne NOT_FOUND (3 slugs). Bugcrowd 404. -> L0.”

“Authored VDP. Testing auth + non-pursuit: 'we will consider your research to be authorised and... Ansell will not recommend or pursue legal action related to your research.' Third-party defense + published CVD timeline: '90 calendar days... (software) or 120 calendar days... (hardware, firmware, and wireless).' BUT only ONE carve-out (non-pursuit/anti-hacking-equiv); NO DMCA/anti-circumvention, NO ToS waiver → fails L4 '≥2 carve-outs' gate despite the timeline -> L3 (re-verified directly). Valid text/plain security.txt.”

“Real text/plain security.txt: ASCII banner 'infosec ... at amp.com.au' + encryption pubkey. Contact only, no policy/scope/safe harbor -> L1. HackerOne 'ampau' is a directory stub (submission_state:null). No Bugcrowd.”

“No channel. HackerOne 'boq' stub (GraphQL submission_state:null); bankofqueensland not found. security.txt 404 both paths (boq.com.au + boqgroup.com). Bugcrowd 404. /responsible-disclosure real 404. Own pages = customer fraud guidance only. -> L0.”

“Real text/plain security.txt (also on dynonobel.com + parent incitecpivot.com.au): 'Contact: mailto:itsecurity@Incitech.com.au / Expires 2025-12-31'. Contact only, no policy -> L1. CAVEAT: EXPIRED (2025-12-31) and contact host Incitech.com.au is NXDOMAIN — email currently unreachable, but a valid Contact line is served live. No HackerOne/Bugcrowd.”

“Own coordinated-disclosure policy: 'we support coordinated vulnerability disclosure... We welcome vulnerability testing... please send an email to securityreports@fphcare.com.' 10-business-day response SLA (not a deadline). NO safe harbor/non-pursuit, NO statutory carve-out, NO deadline. 'Welcome testing' is encouragement, not authorization-with-carve-outs -> L2. No security.txt, no platform program.”

“Own 'Responsible Reporting' policy: scope + 'report it as soon as possible to securityreporting@lnw.com.' NO safe harbor/non-pursuit; RESTRICTS the researcher ('Please DO NOT... Take any action that might violate any applicable laws or agreements'), no testing authorization, no carve-out, no deadline -> L2. No security.txt, no platform program.”

“Real OPEN HackerOne program (GraphQL submission_state:'open', state:'public_mode') with authored Safe Harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you...'. Promissory non-pursuit + authorization, but NO named statutory carve-outs (no CFAA/DMCA/ToS; <2 for L4), resolution case-by-case (no deadline) -> L3. Own resmed.com/security + ap.resmed.com link to it; no security.txt.”

“No channel. security.txt 301→www→404 both paths. HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404 x2. Only general + Ethics Line (conduct, not security). -> L0.”

“No channel. security.txt clean 404 both paths. HackerOne GraphQL NOT_FOUND (2 slugs). Bugcrowd 404 x2. Only Privacy Officer email. All 'Sigma' VDP hits were DIFFERENT companies (Sigma360/Computing/Aldrich). -> L0.”

“No channel. security.txt FAKE-200: serves Next.js HTML SPA shell (not text/plain, no Contact:) — HTML-masquerade trap. HackerOne no team. Bugcrowd none. Only general/investor contacts. -> L0.”

“Real public Cash App / Block Bugcrowd bounty (since Jun 2020; P1 $5k-$18k; 53 vulns). Authored policy: 'we promise not to bring legal action against researchers who: Share with us the full details... Do not disclose the issue to others until we've had a reasonable time to address it and disclosure has been approved by us.' Non-pursuit + authorized testing, but ZERO CFAA/DMCA/ToS carve-outs in authored prose (keyword-searched), and disclosure is gated (no CVD timeline) → fails two-of-three L4 → L3. cash.app security.txt valid (text/plain → Bugcrowd). block.xyz itself no security.txt. (Block migrated off HackerOne — square NOT_FOUND.)”