Vulnerability Disclosure

BAE Systems, Inc. (“BAE Systems”) is committed to responding quickly to potential security vulnerabilities in its products and services. We appreciate the opportunity to collaborate in the identification and elimination of vulnerabilities together. We are always happy to build new working relationships and take steps towards making the digital world a safer place for everyone. 

To report a suspected security vulnerability on a BAE Systems product or service, send an email to vulnerability@baesystems.us.

Please provide any support material that you believe will be useful in helping us understand the nature and severity of the vulnerability. For example:

• The IP address and/or URL of the page where you found the vulnerability.
• A description of the type of vulnerability - for example, Cross Site Scripting (XSS).
• Details of the steps we need to take to reproduce the vulnerability.
• Screenshots or logs, if you have them.
• Give as much detail as possible and cite any sources or references.

Public disclosure may include assignment of a Common Vulnerabilities and Exposures (CVE) ID and a published CVE Record. We will exercise discretion and judgment when making CVE assignment decisions. Managing vulnerabilities can be a complex process and we cannot commit to a specific timeframe. Upon request, we will acknowledge the reporter of the security vulnerability.

In order to protect our customers, we request that you do not share information publicly regarding a potential security vulnerability until we have researched and addressed the reported vulnerability.

Not all bugs are security vulnerabilities. We cannot promise that every issue reported will be categorized as a security vulnerability and/or publicly reported. We will explain our reasoning as appropriate.

• If you encounter any PII (Personally Identifiable Information), please stop testing and contact the BAE Systems security team by sending a report.
• If you encounter data marked or considered any of the following, please stop testing and contact the BAE Systems security team by sending a report: CUI (Controlled Unclassified Information), CDI (Covered Defense Information), CTI (Controlled Technical Information). 
• Do your best to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• Do not attempt to further pivot into the network using a discovered vulnerability.

• You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
• You agree that You shall not, without the prior written consent of BAE Systems in each instance (i) use in advertising, publicity or otherwise the name of BAE Systems or its Affiliates or any trade name, trademark, trade device, service mark, symbol or any abbreviation, contraction or simulation thereof owned by BAE Systems or its Affiliates, or (ii) represent, directly or indirectly, any service or work provided by You as approved or endorsed by BAE Systems or its Affiliates.
• You agree that any and all information acquired or accessed by You as part of this exercise is confidential to BAE Systems and You shall hold the information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work.
• You acknowledge and agree that any and all information you encounter is owned by BAE Systems or its third-party providers, clients or customers. You have no rights, title or ownership to any information that you may encounter.
• BAE Systems may modify the terms of this policy or terminate the policy at any time.
• By emailing information, you consent to Your information being transferred to and stored in the United States and acknowledge that you have read and accepted the Terms, Privacy Policy and Disclosure Guidelines presented to you when you created your account.
• Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
• Please do not test for spam, social engineering or denial of service issues. Your testing must not violate any law, or disrupt or compromise any data that is not your own.