You are here: Home > Get Support > Contact Us > Responsible Disclosure Policy

Responsible Disclosure Policy

The RIPE NCC has started with a formal Bug Bounty program with Intigriti. Currently this is an 'invite-only' program for security researchers that have registered with Intigriti. If you want to participate, please contact Intigriti Support.
You are only eligible for a bounty when participating through the Intigriti program.

If you don't want to participate in the formal bug bounty program, you can still report security issues to us directly. Please read our responsible disclosure policy carefully:

The RIPE NCC works hard to keep our systems and data as secure as possible. If you are a security researcher and have discovered a security vulnerability in one of our services, we appreciate your help in disclosing it to us in a responsible manner. Our responsible disclosure policy is not an invitation to actively hack and potentially disrupt our company network and online services. The RIPE NCC reserves the right to initiate legal action against researchers for penetrating or attempting to penetrate our systems if they do not adhere to this policy.

The RIPE NCC does not permit the following types of security research:

While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:

Performing actions that may negatively affect RIPE NCC or its users (e.g. any form of Denial of Service attacks)
Accessing, or attempting to access, data or information that does not belong to you
Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
Conducting any kind of physical or electronic attack on RIPE NCC personnel, property or data centres
Using social engineering to target any RIPE NCC employee
Violating any laws or breaching any agreements in order to discover vulnerabilities

Scope of the network

The following is in scope:

The ripe.net website and any of its sub-domains (e.g. ripe.net, atlas.ripe.net, labs.ripe.net, stat.ripe.net), services, API’s and infrastructure;
Any public (internet-facing) infrastructure owned and operated by the RIPE NCC

Exclusions

The following list of issues have already been reported to our Security team, reviewed, and deemed out of scope for the purposes of this programme. Please do not report any of the following classes of issues. Unless there are exceptional circumstances or novel attacks, these issues will be rejected:

*.probes.atlas.ripe.net and *.anchors.atlas.ripe.net are excluded. These devices are not hosted in networks managed by the RIPE NCC, but in networks participating in the RIPE Atlas project. If you find any vulnerabilities for IP addresses associated with RIPE Atlas probes, you will need to report them to the security teams of the responsible network operators.
Missing, or not 'properly' configured SPF, DKIM or DMARC records;
The presence of public services such as robots.txt or FTP (e.g. ftp.ripe.net);
The availability of DNS zone transfers;
Reports of old software versions without a working Proof of Concept of an exploit
Malicious activity originating from IP address space in the RIPE region, but not used by the RIPE NCC. Being a Regional Internet Registry we frequently receive abuse reports for Internet resources (IP addresses and AS numbers) for which we are not responsible. If you’re facing this issue, please check this page to see which organisation you should contact: https://www.ripe.net/support/abuse

This is not an exclusive list. If you report a vulnerability that has already been reported by someone else, we will let you know. In that case you are not eligible for our Security Hall of Fame or swag.

What we request of you

Please do not share the issue with others until it has been resolved.
Please do not publish anything about the resolved issue unless this has been discussed with us.
Email your findings to security _at_ ripe _dot_ net. Submitting a notification under a pseudonym is allowed. If you’d like to encrypt your email, you can use our public PGP key (https://www.ripe.net/support/contact/responsible-disclosure-policy/pgp-key-for-reporting-security-vulnerabilities).
Please provide sufficient information for us to reproduce the issue so that we can resolve it as soon as possible.
Please delete all confidential information obtained through the vulnerability as soon as possible after reporting it, but always after consulting us to make sure that we can reproduce the issue.

What we promise

We will act with urgency and necessary resources to resolve the issue.
We will strive to respond to your report within three business days with our evaluation of the report and an expected resolution date.
We will handle your report with strict confidentiality and not pass on your personal details to third parties without your permission.
After a major security issue has been solved, we will publish a report on our website explaining the vulnerability discovered and how we fixed it.
If you agree to have your name used in the report, we will credit you. Note that we will only credit the first person that reported a specific vulnerability to us.
After your vulnerability report is verified, the security team will inform you if you are eligible:

To be mentioned in our Security Hall of Fame
To receive a unique token of our gratitude: the RIPE NCC 'Hacked it!' hoodie!

We do not issue monetary rewards for reported vulnerabilities.