At RIPE NCC we are working hard to keep our systems and data secure. If you are a security researcher and have discovered a security vulnerability in one of our services, we appreciate your help in disclosing it to us in a responsible manner.
Find out how to report a vulnerability below.
Our responsible disclosure policy is not an invitation to actively hack and potentially disrupt our company network and online services. The RIPE NCC reserves the right to initiate legal action against researchers for penetrating or attempting to penetrate our systems if they do not adhere to this policy.
The following RIPE NCC services, assets and IP ranges are in scope of our responsible disclosure policy. Below you can see the table of all in scope and out of scope services.
In scope | Exclusions |
---|---|
*.ripe.net |
|
In scope | Exclusions |
---|---|
RIPE NCC owned assets |
|
In scope | Exclusions |
---|---|
RIPE NCC IP Range |
|
We are running our bug bounty program, utilising the ethical hacking and bug bounty platform of Intigriti. Intigriti is a european based, cost efficient platform which is actively utilised by the security researchers community.
Participating in our public bug bounty program is straightforward. Here's how:
To express our gratitude to the security researchers who help us to keep RIPE NCC services secure, we offer rewards and recognition, including:
- Bounties for valid reports
- Acknowledgement in our Hall of Fame for top contributors
- Opportunities for responsible disclosure coordination
If a security researcher does not wish to participate in the formal bug bounty program with Intigriti, you can report security issues to us directly by emailing the findings to [email protected]. Submitting a notification under a pseudonym is allowed. If a researcher would like to encrypt the email, our public PGP key can be used.
While we encourage each security researcher to discover and report any vulnerabilities they find to the RIPE NCC in a responsible manner, the following conduct is expressly prohibited:
The following list of issues have already been reported to our Security team, have been reviewed, and deemed out of scope for the purposes of this programme. Please do not report any of the following classes of issues. Unless there are exceptional circumstances or novel attacks, these issues will be rejected:
This is not an exclusive list. If a researcher reports a vulnerability that has already been reported by someone else, the researcher will be informed. In that case the researcher is not eligible for our Security Hall of Fame or a bounty from our bug bounty program.
After your vulnerability report is verified, the security team will inform you if you are eligible to be mentioned in our Security Hall of Fame.