Ansell is a global safety solutions expert, reinventing personal protection for 125 years. We deliver the most advanced protection solutions to millions of people at work and at home, keeping them out of harm’s way. Our expertise, innovative products, and advanced technology give our customers peace of mind and confidence no other brand can deliver. Ansell’s mission is to provide innovative safety solutions in a trustworthy and reliable manner, creating an Ansell-protected world.
This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered cybersecurity vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing a cybersecurity vulnerability.
We encourage you to contact us to report any potential vulnerability in our systems.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorised and we will work with you to understand and resolve any cybersecurity issue quickly, and Ansell will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorisation known.
As set out in the guidelines above, to comply with this policy we ask that you refrain from sharing your report about Ansell with others prior to submitting it to us and while we investigate the suspected cybersecurity vulnerability and potentially work on a patch or other resolutions. Please raise any Ansell issues with us before you make a disclosure.
We will inform you when we finalise our findings after the cybersecurity vulnerability is resolved. To comply with this policy, we require that you link to Ansell’s findings alongside your findings in any blog posts, public reports, presentations, or any other public statements on the matter. Other than potentially listing an overall timeline regarding the vulnerability you brought to our attention, we will not publish information about you or our communications with you without your permission. If you wish to be recognised, we will thank you by name or handle in our advisory. Ansell does not credit employees or contractors of Ansell and its subsidiaries for vulnerabilities they have found.
To the extent this policy refers to a “vulnerability” or “vulnerabilities,” it is intended and understood that all such references mean potential or suspected cybersecurity vulnerabilities, whether so stated or not, until such vulnerability has been investigated and confirmed by Ansell. Whether to recognise the disclosure of a vulnerability and the timing of the recognition is entirely at our discretion, and we may cancel the program at any time. Your testing must not violate any laws.
The following test methods are not authorised:
This policy applies to the following systems and services:
All customer applications are excluded from this policy.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorised for testing. Additionally, cybersecurity vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at email@example.com before starting your research.
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We intend to increase the scope of this policy over time.
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate cybersecurity vulnerabilities. We will not share your name or contact information without express permission.
We accept vulnerability reports at this form below or via firstname.lastname@example.org. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
We do not support PGP-encrypted emails. For particularly sensitive information, submit through our HTTPS web form below.
In order to help us triage and prioritise submissions, we recommend that your reports:
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
Questions regarding this policy may be sent to email@example.com. We also invite you to contact us with suggestions for improving this policy.