{{selectedAlertBand.alertDescription}}
{{selectedAlertBand.incident.heading}}
{{alert.alertDescription}}
{{index+1}}
/ {{ alertBandDate.length}}
{{selectedAlertBand.alertDescription}}
{{selectedAlertBand.alertDescription}}
{{selectedAlertBand.alertLinkText}} {{selectedAlertBand.alertLinkText}}
For further updates subscribe
Introduction
Anglian Water greatly appreciates ethical security researchers with good intentions carrying out investigative work into security vulnerabilities. Anglian Water is committed to the thorough investigation and resolution of security issues in our online services in collaboration with the security research community. This program aims to define a method by which Anglian Water can work with the security research community to improve our online security.
Scope
This program applies only to vulnerabilities in Anglian Water online services under the following conditions:
- Only vulnerabilities which are previously unreported and not already known to Anglian Water
- Only domains/subdomains which have a security.txt file in their root i.e. https://<subdomain.domain.tld>/security.txt
- Volumetric vulnerabilities are not in scope i.e. overwhelming our service with a high volume of requests is not in scope
- This program applies to everyone, including Anglian Water staff and third party suppliers.
Bug Bounty / Reward Program
Unfortunately, it is not possible for Anglian Water to offer a paid bug bounty program or other payment for any vulnerabilities that individuals report to us. However, we would like to offer a token of our appreciation to security researches that take time and effort to investigative and report security vulnerabilities to us and where they adhere to this program. Therefore, those who report in-scope vulnerabilities will be offered a small, unique Anglian Water reward, at Anglian Water’s sole discretion.
Reporting a vulnerability
If you have discovered an issue which you believe is an in-scope security vulnerability, please email cybersecurity@anglianwater.co.uk including:
- Your name
- The website or page in which the vulnerability exists
- A brief description of the type of vulnerability e.g. “XSS vulnerability”. Please do not include any details which would allow reproduction of the issue at this stage. We will request details subsequently, over encrypted communications.
Please read this program fully prior to reporting any vulnerabilities to ensure that you understand the program and can act in compliance with it.
What to expect
In response to your email to cybersecurity@anglianwater.co.uk, a member of the Anglian Water Cyber Security team will contact you and provide the necessary instructions for encrypted communications of the more sensitive details relating to the vulnerability.
The Anglian Water Cyber Security team will notify you when the vulnerability is resolved and will ask you to confirm that the solution covers the vulnerability adequately.
Guidance
Security researchers must not:
- Use vulnerability scanners and other automated tools that may impact website performance or cause any other negative impact.
- Access unnecessary amounts of data. Two or three records, for example, is enough to demonstrate most vulnerabilities;
- Violate the privacy of Anglian Water customers, staff, contractors, systems etc. For example by sharing, redistributing and/or not properly securing data retrieved from our systems or services;
- Communicate any vulnerabilities or associated details via methods not described in this program or with anyone other than the Anglian Water Cyber Security team;
- Modify data in our systems/services which is not your own;
Disrupt our service(s) and/or systems; or - Disclose any vulnerabilities to 3rd parties/the public prior to Anglian Water confirming that the vulnerability has been mitigated or rectified.
We request that any and all data retrieved during research is securely deleted as soon as it is no longer required and, at most, 1 month after the vulnerability is resolved, whichever occurs soonest.
If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact the Anglian Water Cyber Security team for guidance (please do not include any sensitive information in the initial communications): cybersecurity@anglianwater.co.uk.
Legalities
This program is designed to be compatible with common good practice among well-intentioned security researchers. All researchers must comply with all applicable local and national laws. This program does not give you permission to act in any manner that is inconsistent with the law or cause Anglian Water to be in breach of any of its legal obligations, including but not limited to:
- The Computer Misuse Act (1990)
- The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
- The Copyright, Designs and Patents Act (1988)
Anglian Water will not seek prosecution of any security researcher who reports, in good faith and in accordance with this program, any security vulnerability on an in-scope Anglian Water service.
Anglian Water has never given permission/authorisation (either implied or explicit) to an individual or group of individuals to extract personal information or content of Anglian Water employees, customers or website users and publicise this information on the open, public-facing internet without the individual’s consent, nor has Anglian Water ever given permission for programs or data belonging to Anglian Water to be modified or corrupted in order to extract and publicly disclose data belonging to Anglian Water.
Anglian Water may withdraw this program and procedure at any time at its sole discretion and at any time without notice.
Feedback
If you wish to provide feedback or suggestions on this program, please contact our Cyber Security team: cybersecurity@anglianwater.co.uk. This program will evolve over time and your input will be valued to ensure that it is clear, complete and remains relevant.