1. About this policy

As an operator and provider of multiple information technology services for the Shell Group, Shell IT[1] has a material interest in the ability to maintain adequate security of its systems and IT infrastructure for the Shell Group and its customers. Via this Responsible Disclosure policy[2] (the “Policy”) the Information Risk Management (IRM) department of Shell IT provides a framework that allows for the safe, secure, and responsible disclosure of weaknesses in our information technology infrastructure which can be exploited to perform unauthorized actions within a system (“vulnerabilities”). The purpose of this Policy is to enable the vulnerability to be reported responsibly and to be remediated or patched in order to retain the integrity, continuity and security of our services.

If you are a security researcher and you encounter a vulnerability, we would like to cooperate with you to fix the vulnerability before this can be misused.

2. Scope

We request you to communicate your findings to us in connection with vulnerabilities in our systems as soon as reasonably possible in the manner described below. The following are examples of categories of vulnerabilities are in scope and we are interested in:

  • Remote Code Execution
  • SQL injection vulnerabilities
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Encryption vulnerabilities

Out of scope are:

  • comments about Shell services (to report service complaints, please contact your local Shell office)
  • reports on (potential) fraud or compliance issues (to report a compliance issue, please contact the Shell Global Helpline  
  • reports on phishing campaigns or emails and/or viruses or malware can be reported as with the original email as attachment to cert@shell.com. If the original email contains a suspicious attachment, please make sure that it is not included in your message, as this will like cause your email to be blocked.

3. Reporting a vulnerability responsibly

Please describe discovered vulnerability or issue in detail with supporting evidence if possible so that our information risk experts can analyze the finding.

You can send the report to the cert@shell.com email address.

To the extent possible, please include the following in your report:

  • Type of vulnerability or issue
  • Service, product or URL affected
  • Special configuration or requirements to reproduce the issue
  • Information necessary to reproduce the issue
  • Impact of the vulnerability together with an explanation of how an attacker could find it and exploit it

We welcome anonymous reports but we will not be able to share updates on the follow-up of the report.

Our information risk analysts will assess the finding and respond as soon as reasonably possible. Each case will be analysed individually. We kindly request you to provide us the reasonable opportunity and time to for this analysis, to keep the information confidential, and not to disclose the vulnerability to others without consultation with our analysts.

Any personal details that we have received from your side will be processed by us in accordance with the Shell global privacy notice for business customers, partners and counterparties available at www.shell.com/privacy (also in your local language, depending on your location). Your data will be processed for purposes of responding to your report and addressing the reported vulnerabilities. We will retain your data for as long as your report is investigated and up to one year thereafter.

4. Ethical engagement rules

Certain hacking activities constitute criminal actions. To protect you and us please act in good faith and follow these rules of ethical engagement:

  • report the vulnerability to us in the manner set out above;
  • report the vulnerability as soon as you can to prevent that threat actors exploit the vulnerability before we have a chance to fix it;
  • report the vulnerability with us while keeping the information confidential (jn particular if it concerns personal data);
  • do not disclose the vulnerability to others;
  • do not use social engineering to gain access to our IT infrastructure or services;
  • do not install your own backdoor in our systems to disclose the vulnerability as this may result in unnecessary damage and security risks;
  • do not exploit a vulnerability further than necessary to confirm the vulnerability finding;
  • do not copy, modify, or remove data from system (an alternative is to create a directory listing of the system);
  • do not modify the system;
  • do not use Denial of Service attacks or brute force access technology;
  • do not use phishing;
  • do not use aggressive automated scanning;
  • do not negatively impact the confidentiality, integrity or availability of our services;
  • do not execute code on our systems;
  • do not attempt to penetrate the system further than necessary to confirm the vulnerability finding.

5. What will we do with your report

An information risk analyst will be allocated to investigate the reported findings. Each case may be analysed individually. We aim to reply within three (3) business days to acknowledge your report. After the initial analysis of the report, we may request further information, evidence, and support in connection with your findings. If the nature of the report is sensitive and/or contains personal data, we may provide instructions to exchange information using encryption keys to safeguard the confidentiality and security of communications and provide you further instructions as to how to securely dispose of personal data.

6. No rewards

No monetary compensation is offered or provided in connection with reporting vulnerabilities. This Policy is not intended to encourage hacking attempts in connection with Shell information technology infrastructure, but to provide a responsible framework under which security vulnerability reports can be communicated and remediated. On a case by case basis, in consultation, we will consider providing public acknowledgement of your support.

7. Questions

If at any time you have questions about the above procedure, feel free to reach out to cert@shell.com

 

[1] The Shell Information Risk Management department (IRM) of Shell is part of Shell IT Services & Operations which provides IT services to the Shell Group. The companies in which Royal Dutch Shell plc directly and indirectly owns investments are separate entities. In this document the expressions "Shell", "Group" and "Shell Group" are sometimes used for convenience where references are made to Group companies in general.  Likewise, the words "we", "us" and "our" are also used to refer to Group companies in general or those who work for them. The expression "Shell IT" is a trading style used by a community of separate companies and other organisational entities within the Shell Group. The expressions "Shell", "Group", "Shell Group" and "Shell IT" are also used where there is no purpose in identifying specific companies.

[2] This policy is based on guidance issued in 2013 by the national cyber security center of the Dutch Ministry of Security and Justice, available here: https://www.ncsc.nl/english/current-topics/news/responsible-disclosure-guideline.html and the guidance issued in 2013 by Dutch Public Justice Department, available here: https://www.om.nl/publish/pages/22742/03_18_13_beleidsbrief_college_responsible_disclosure.pdf.