Coordinated Vulnerability Reporting Policy

Introduction

The Megger group (collectively, “Megger” or the “Group”, or “we” or “us”) is committed to maintaining the security, confidentiality, integrity, availability, and lawful processing of its systems, services, applications, and data, including personal data processed on behalf of customers, employees, partners, and other stakeholders.

This Coordinated Vulnerability Reporting Policy (“Policy”) provides a mechanism for individuals to report suspected security vulnerabilities relating to systems or services owned or operated by Megger.

This Policy is designed to support secure vulnerability handling while protecting the confidentiality, integrity, and availability of information assets and ensuring alignment with applicable legal, regulatory, privacy, and data protection obligations.

This Policy is informed by relevant industry guidance and standards, including:

  • Cybersecurity and Infrastructure Security Agency Coordinated Vulnerability Disclosure guidance
  • National Institute of Standards and Technology SP 800-216
  • International Organization for Standardization ISO/IEC 29147 - Vulnerability Disclosure
  • International Organization for Standardization ISO/IEC 30111 - Vulnerability Handling Processes
  • RFC 9116

This Policy should be read together with the Megger’s Terms of Use, Supply Chain Code of Conduct, Privacy Notice, Information Security Policies, Data Protection Policies, and any other applicable legal or contractual terms.

 

 

Scope

This Policy applies to internet-accessible systems, applications, websites, APIs, and, where applicable, Megger products product software, firmware, mobile or desktop applications, cloud services, remote data processing solutions, and other digital components owned, operated, supplied or supported by Megger
 

Unless explicitly stated otherwise in writing, the following are outside the scope of this Policy:

  • Third-party systems or services not owned or controlled by Megger#
  • Social engineering or phishing attacks
  • Physical security attacks
  • Denial-of-service (DoS/DDoS) testing
  • Spam or excessive automated scanning
  • Credential stuffing, password spraying, or brute-force attacks
  • Malware deployment
  • Vulnerabilities requiring unrealistic user interaction
  • Missing HTTP security headers without demonstrable exploitability
  • TLS/SSL configuration observations without demonstrable security impact
  • Cookie flags without exploitable impact
  • Self-XSS
  • Clickjacking affecting non-sensitive pages only
  • Best-practice recommendations without an identifiable exploitable condition
  • Previously disclosed or publicly known vulnerabilities
     

Megger reserves the right to determine whether any reported issue falls within the scope of this Policy.
 

This Policy applies to:

  • All Megger employees, and other staff members; and
  • All agents, contractors, distributors, associates, suppliers, customers and joint venture partners with whom we do business in Megger Group (“Business Partners”); and
  • Any individual who may discover, or set out to discover, a security vulnerability in any of the products or systems described in this Policy

References to “individuals” in this Policy can be to any member of staff or representative of Megger or a Business Partner.  Business Partners must ensure that their staff and representatives comply with this Policy.
 

 

Responsible Reporting

Megger recognises the importance of receiving information relating to potential security vulnerabilities affecting its systems, services, or applications.

This Policy provides a mechanism for responsible reporting only. Nothing in this Policy shall be interpreted as permission, authorisation, licence, or consent to access, test, scan, exploit, interfere with, or otherwise interact with any system, service, application, account, data set, or environment owned or operated by Megger.

Megger does not endorse, permit, or encourage:

  • Unauthorised access to systems, applications, environments, or data
  • Circumvention of security or privacy controls
  • Exploitation of vulnerabilities
  • Active security testing against production systems
  • Automated scanning without prior written approval
  • Access to, extraction of, modification of, deletion of, or retention of personal data or confidential information
  • Service disruption
  • Public disclosure of vulnerabilities without prior written consent

Any activities conducted against Megger systems remain subject to applicable laws, regulations, contractual obligations, confidentiality obligations, privacy requirements, and terms of use.

Individuals identifying potential vulnerabilities should immediately cease further activity and report the matter through the channels described in this Policy.

 

 

Data Protection and Privacy Requirements

Protection of personal data and confidential information is a mandatory requirement under this Policy.

Individuals submitting vulnerability reports must:

  • Avoid accessing personal data unless strictly unavoidable to identify the existence of a suspected issue
  • Immediately cease activity upon encountering personal data, special category data, confidential business information, authentication credentials, or regulated data
  • Not copy, download, transmit, retain, process, disclose, or otherwise use personal data obtained during any activity relating to a reported issue
  • Promptly notify Megger if personal data or confidential information may have been exposed, accessed, or impacted
  • Maintain strict confidentiality regarding any information observed during the course of identifying or reporting a suspected vulnerability
  • Comply with all applicable privacy and data protection laws and regulations

Any unauthorised access to personal data may constitute a breach of applicable data protection, privacy, cybersecurity, confidentiality, or criminal laws.

 

 

Reporting Requirements

Individuals submitting vulnerability reports must:

  • Act responsibly and in good faith
  • Avoid actions that could negatively affect the confidentiality, integrity, availability, or resilience of systems or data
  • Refrain from accessing, acquiring, modifying, deleting, transmitting, or retaining data that does not belong to them
  • Avoid exploitation beyond the minimum necessary to identify the suspected issue
  • Immediately cease activity upon discovery of sensitive information
  • Maintain strict confidentiality regarding the reported issue unless expressly authorised in writing by Megger.  Where the reporter is acting on behalf of an employer or other organisation, the reporter should ensure that any sharing within that organisation is limited to those with a legitimate need to know and remains subject to appropriate confidentiality obligations.
     

The following activities are strictly prohibited:

  • Exploitation of vulnerabilities
  • Privilege escalation
  • Persistence or lateral movement
  • Malware deployment
  • Denial-of-service testing
  • Social engineering or phishing
  • Credential attacks
  • Automated vulnerability scanning without prior written approval
  • Public disclosure of vulnerabilities
  • Disclosure to third parties without written approval

 

 

How to Report a Vulnerability

Suspected security vulnerabilities should be reported to:

Email:[email protected]

Individuals are encouraged to report suspected vulnerabilities as soon as reasonably practicable, particularly where personal data, confidential information, authentication credentials, regulated information, or system availability may be affected. Prompt reporting assists Megger in assessing and, where required, complying with applicable legal, regulatory, contractual and data breach notification obligations, including timeframes for assessing and notifying personal data breaches. This is without prejudice to any separate reporting, notification or escalation obligations that may apply under any contract, policy, law, regulation or duty owed to Megger or any other person.
 

Reports should include, where possible:

  • Description of the suspected vulnerability
  • Affected URL, system, API, or service
  • Steps necessary to reproduce the issue
  • Screenshots or supporting evidence, where appropriate
  • Potential impact assessment
  • Whether any personal data, confidential information, or regulated information may have been exposed
  • Reporter contact details
     

Megger may request additional information to support investigation or validation activities.

We encourage encrypted submissions where possible.

 

 

Vulnerability Handling Process

Megger will make reasonable efforts to:

  • Acknowledge receipt of reports
  • Review and assess reported issues
  • Prioritise remediation activities based on risk, operational considerations, business impact, and potential impact to personal data or regulated information
  • Maintain confidentiality of reported information where appropriate
  • Escalate matters involving potential personal data exposure through internal privacy, legal, security incident, and regulatory assessment processes where required
     

Submission of a report does not guarantee:

  • That the reported issue constitutes a security vulnerability
  • That remediation will occur within a particular timeframe
  • Any entitlement to compensation, public recognition, or further communication


Megger may, at its sole discretion, coordinate remediation and disclosure activities relating to reported vulnerabilities.

Public disclosure of vulnerabilities relating to Megger systems is prohibited unless expressly authorised in writing by Megger.

 

 

No Authorisation Granted 

This Policy does not:

  • Grant permission to access any system or data
  • Authorise circumvention of security or privacy controls
  • Permit testing, scanning, or exploitation activities
  • Provide immunity from civil, criminal, regulatory, contractual, or data protection liability
  • Waive any rights or remedies available to Megger
  • Create any contractual relationship between Megger and any individual or entity


Megger reserves all legal rights relating to unauthorised activities conducted against its systems, services, applications, personnel, data, or infrastructure.

 

 

Reservation of Rights

Megger reserves the right to:

  • Determine whether reported issues constitute a security vulnerability or personal data incident
  • Determine the severity, risk rating, and remediation approach for any reported issue
  • Decline to respond to reports falling outside the scope of this Policy
  • Modify, from time to time, or withdraw this Policy at any time without notice. An individual who detects a security vulnerability should check this Policy before submitting a report
  • Refer unlawful or malicious activities to law enforcement, regulators, supervisory authorities, or other relevant authorities where appropriate

 

 

Privacy and Confidentiality

Information submitted under this Policy will be used solely for security assessment, investigation, remediation, compliance, audit, regulatory, legal, and defensive purposes.

Reports and associated information may be shared internally, and with our advisors (who are themselves bound by confidentiality agreements) with Information Security, Legal, Privacy, Compliance, Risk, Internal Audit, and other authorised stakeholders on a need-to-know basis.

Reporters must maintain confidentiality regarding reported vulnerabilities and any associated information unless disclosure is expressly authorised in writing by Megger.

Megger will process any personal data received under this Policy in accordance with applicable data protection and privacy laws and its Privacy Notice.

 

 

No Compensation

Megger does not operate a bug bounty programme and does not provide monetary compensation, rewards, or incentives for vulnerability reports unless explicitly agreed in writing.

 

 

Policy Updates

Last updated: May 2026