{"organism":"Page","children":[{"organism":"Container.Raw","children":[{"organism":"Metadata","color":"brand1-solid","model":{"title":"Shell responsible disclosure policy","text":"Shell Information Risk Management - Shell responsible disclosure policy","links":[{"name":"Shell responsible disclosure policy","value":"https://www.shell.com/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy.html"}]},"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/metadata"},{"organism":"ContentOwner","color":"brand1-solid","model":{},"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/contentowner"},{"organism":"Container.Header","children":[{"organism":"Container.Raw","ref":"https://www.shell.com/_jcr_content/root/header/inherited.model.json","id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/header/inherited","model":{}},{"organism":"Breadcrumb","model":{"links":[{"name":"Home","value":"https://www.shell.com/"},{"name":"Who we are","value":"https://www.shell.com/who-we-are.html"},{"name":"Our values","value":"https://www.shell.com/who-we-are/our-values.html"},{"name":"Shell Global Helpline","value":"https://www.shell.com/who-we-are/our-values/shell-global-helpline.html"},{"name":"Shell responsible disclosure policy","value":"https://www.shell.com/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy.html"}]},"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/header/breadcrumb"}],"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/header","model":{}},{"organism":"Container.Main","children":[{"organism":"Container.Section","children":[{"organism":"PageHeader","color":"brand2","model":{"title":"Shell responsible disclosure policy"},"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section/item"},{"organism":"Container.Gapless","color":"inherited","children":[{"organism":"PromoSimple.Text","color":"inherited","id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section/simple/text_copy","model":{"title":"1. About this policy","text":"\u003Cp\u003EAs an operator and provider of multiple information technology services for the Shell Group, Shell IT\u003Csup\u003E[1]\u003C/sup\u003E has a material interest in the ability to maintain adequate security of its systems and IT infrastructure for the Shell Group and its customers. Via this Responsible Disclosure policy\u003Csup\u003E[2]\u003C/sup\u003E (the “Policy”) the Information Risk Management (IRM) department of Shell IT provides a framework that allows for the safe, secure, and responsible disclosure of weaknesses in our information technology infrastructure which can be exploited to perform unauthorized actions within a system (“vulnerabilities”). The purpose of this Policy is to enable the vulnerability to be reported responsibly and to be remediated or patched in order to retain the integrity, continuity and security of our services.\u003C/p\u003E\n\u003Cp\u003EIf you are a security researcher and you encounter a vulnerability, we would like to cooperate with you to fix the vulnerability before this can be misused.\u003Cbr\u003E\n\u003C/p\u003E\n"}},{"organism":"PromoSimple.Text","color":"inherited","id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section/simple/text_copy_copy","model":{"title":"2. Scope","text":"\u003Cp\u003EWe request you to communicate your findings to us in connection with vulnerabilities in our systems as soon as reasonably possible in the manner described below. The following are examples of categories of vulnerabilities in scope and we are interested in:\u003Cbr\u003E\r\n\u003C/p\u003E\r\n\u003Cul\u003E\r\n\u003Cli\u003ERemote Code Execution\u003Cbr\u003E\r\n\u003C/li\u003E\r\n\u003Cli\u003ESQL injection vulnerabilities\u003C/li\u003E\r\n\u003Cli\u003EAuthentication or authorization flaws\u003C/li\u003E\r\n\u003Cli\u003EServer-side code execution bugs\u003C/li\u003E\r\n\u003Cli\u003EEncryption vulnerabilities\u003C/li\u003E\r\n\u003C/ul\u003E\r\n\u003Cp\u003EOut of scope are:\u003C/p\u003E\r\n\u003Cul\u003E\r\n\u003Cli\u003EComments about Shell services (to report service complaints, please contact your \u003Cb\u003E\u003Ca href=\"https://www.shell.com/who-we-are/contact-us.html\" target=\"_self\"\u003Elocal Shell office\u003C/a\u003E\u003C/b\u003E)\u003Cbr\u003E\r\n\u003C/li\u003E\r\n\u003Cli\u003EReports on (potential) fraud or compliance issues (to report a compliance issue, please contact the \u003Cb\u003E\u003Ca href=\"https://www.shell.com/who-we-are/our-values/shell-global-helpline.html\" target=\"_self\"\u003EShell Global Helpline\u003C/a\u003E\u003C/b\u003E  \u003C/li\u003E\r\n\u003Cli\u003EReports on \u003Cb\u003Ephishing campaigns or emails and/or viruses or malware\u003C/b\u003E can be reported as with the original email as attachment to \u003Cb\u003E\u003Ca href=\"mailto:cert@shell.com\"\u003Ecert@shell.com\u003C/a\u003E\u003C/b\u003E. If the original email contains a suspicious attachment, please make sure that it is not included in your message, as this will like cause your email to be blocked.\u003C/li\u003E\r\n\u003C/ul\u003E\r\n"}},{"organism":"PromoSimple.Text","color":"inherited","id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section/simple/text_copy_1625763104","model":{"title":"3. Reporting a vulnerability responsibly","text":"\u003Cp\u003EPlease describe discovered vulnerability or issue in detail with supporting evidence if possible so that our information risk experts can analyze the finding.\u003Cbr\u003E\r\n\u003C/p\u003E\r\n\u003Cp\u003EYou can send the report to the \u003Cb\u003E\u003Ca href=\"mailto:cert@shell.com\"\u003Ecert@shell.com\u003C/a\u003E\u003C/b\u003E email address.\u003Cbr\u003E\r\n\u003C/p\u003E\r\n\u003Cp\u003ETo the extent possible, please include the following in your report:\u003Cbr\u003E\r\n\u003C/p\u003E\r\n\u003Cul\u003E\r\n\u003Cli\u003EType of vulnerability or issue\u003Cbr\u003E\r\n\u003C/li\u003E\r\n\u003Cli\u003EService, product or URL affected\u003C/li\u003E\r\n\u003Cli\u003ESpecial configuration or requirements to reproduce the issue\u003C/li\u003E\r\n\u003Cli\u003EInformation necessary to reproduce the issue\u003C/li\u003E\r\n\u003Cli\u003EImpact of the vulnerability together with an explanation of how an attacker could find it and exploit it\u003C/li\u003E\r\n\u003C/ul\u003E\r\n\u003Cp\u003EWe welcome anonymous reports but we will not be able to share updates on the follow-up of the report.\u003C/p\u003E\r\n\u003Cp\u003EOur information risk analysts will assess the finding and respond as soon as reasonably possible. Each case will be analysed individually. We kindly request you to provide us with the reasonable opportunity and time for this analysis, to keep the information confidential, and not to disclose the vulnerability to others without consultation with our analysts.\u003Cbr\u003E\r\n\u003C/p\u003E\r\n\u003Cp\u003EAny personal details that we have received from your side will be processed by us in accordance with the Shell global privacy notice for business customers, partners and counterparties available at \u003Cb\u003E\u003Ca href=\"https://www.shell.com/privacy.html\" target=\"_self\"\u003Ewww.shell.com/privacy\u003C/a\u003E\u003C/b\u003E (also in your local language, depending on your location). Your data will be processed for purposes of responding to your report and addressing the reported vulnerabilities. We will retain your data for as long as your report is investigated and up to one year thereafter.\u003Cbr\u003E\r\n\u003C/p\u003E\r\n"}},{"organism":"PromoSimple.Text","color":"inherited","id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section/simple/text_copy_copy_74125","model":{"title":"4. Ethical engagement rules","text":"\u003Cp\u003ECertain hacking activities constitute criminal actions. To protect you and us please act in good faith and follow these rules of ethical engagement:\u003C/p\u003E\r\n\u003Cul\u003E\r\n\u003Cli\u003Ereport the vulnerability to us in the manner set out above;\u003C/li\u003E\r\n\u003Cli\u003Ereport the vulnerability as soon as you can to prevent that threat actors exploit the vulnerability before we have a chance to fix it;\u003C/li\u003E\r\n\u003Cli\u003Ereport the vulnerability with us while keeping the information confidential (jn particular if it concerns personal data);\u003C/li\u003E\r\n\u003Cli\u003Edo not disclose the vulnerability to others;\u003C/li\u003E\r\n\u003Cli\u003Edo not use social engineering to gain access to our IT infrastructure or services;\u003C/li\u003E\r\n\u003Cli\u003Edo not install your own backdoor in our systems to disclose the vulnerability as this may result in unnecessary damage and security risks;\u003C/li\u003E\r\n\u003Cli\u003Edo not exploit a vulnerability further than necessary to confirm the vulnerability finding;\u003C/li\u003E\r\n\u003Cli\u003Edo not copy, modify, or remove data from system (an alternative is to create a directory listing of the system);\u003C/li\u003E\r\n\u003Cli\u003Edo not modify the system;\u003C/li\u003E\r\n\u003Cli\u003Edo not use Denial of Service attacks or brute force access technology;\u003C/li\u003E\r\n\u003Cli\u003Edo not use phishing;\u003C/li\u003E\r\n\u003Cli\u003Edo not use aggressive automated scanning;\u003C/li\u003E\r\n\u003Cli\u003Edo not negatively impact the confidentiality, integrity or availability of our services;\u003C/li\u003E\r\n\u003Cli\u003Edo not execute code on our systems;\u003C/li\u003E\r\n\u003Cli\u003Edo not attempt to penetrate the system further than necessary to confirm the vulnerability finding.\u003C/li\u003E\r\n\u003C/ul\u003E\r\n"}},{"organism":"PromoSimple.Text","color":"inherited","id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section/simple/text_copy_695208148","model":{"title":"5. What will we do with your report","text":"\u003Cp\u003EAn information risk analyst will be allocated to investigate the reported findings. Each case may be analysed individually. We aim to reply within three (3) business days to acknowledge your report. After the initial analysis of the report, we may request further information, evidence, and support in connection with your findings. If the nature of the report is sensitive and/or contains personal data, we may provide instructions to exchange information using encryption keys to safeguard the confidentiality and security of communications and provide you further instructions as to how to securely dispose of personal data.\u003C/p\u003E\r\n"}},{"organism":"PromoSimple.Text","color":"inherited","id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section/simple/text","model":{"title":"6. No rewards","text":"\u003Cp\u003ENo monetary compensation is offered or provided in connection with reporting vulnerabilities. This Policy is not intended to encourage hacking attempts in connection with Shell information technology infrastructure, but to provide a responsible framework under which security vulnerability reports can be communicated and remediated. On a case by case basis, in consultation, we will consider providing public acknowledgement of your support.\u003C/p\u003E\r\n"}},{"organism":"PromoSimple.Text","color":"inherited","id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section/simple/text_1454154392","model":{"title":"7. Questions","text":"\u003Cp\u003EIf at any time you have questions about the above procedure, feel free to reach out to \u003Cb\u003E\u003Ca href=\"mailto:cert@shell.com\"\u003Ecert@shell.com\u003C/a\u003E\u003C/b\u003E\u003C/p\u003E\r\n\u003Cp\u003E \u003C/p\u003E\r\n\u003Cp\u003E\u003Csup\u003E[1]\u003C/sup\u003E The Shell Information Risk Management department (IRM) of Shell is part of Shell IT Services & Operations which provides IT services to the Shell Group. The companies in which Royal Dutch Shell plc directly and indirectly owns investments are separate entities. In this document the expressions \"Shell\", \"Group\" and \"Shell Group\" are sometimes used for convenience where references are made to Group companies in general.  Likewise, the words \"we\", \"us\" and \"our\" are also used to refer to Group companies in general or those who work for them. The expression \"Shell IT\" is a trading style used by a community of separate companies and other organisational entities within the Shell Group. The expressions \"Shell\", \"Group\", \"Shell Group\" and \"Shell IT\" are also used where there is no purpose in identifying specific companies.\u003Cbr\u003E\r\n\u003C/p\u003E\r\n\u003Cp\u003E\u003Csup\u003E[2]\u003C/sup\u003E This policy is based on guidance issued in 2013 by the national cyber security center of the Dutch Ministry of Security and Justice, available here: \u003Cb\u003E\u003Ca href=\"https://www.ncsc.nl/\" target=\"_blank\"\u003Ehttps://www.ncsc.nl/english/current-topics/news/responsible-disclosure-guideline.html\u003C/a\u003E\u003C/b\u003E and the guidance issued in 2013 by Dutch Public Justice Department, available here: \u003Cb\u003E\u003Ca href=\"https://www.om.nl/\" target=\"_blank\"\u003Ehttps://www.om.nl/publish/pages/22742/03_18_13_beleidsbrief_college_responsible_disclosure.pdf\u003C/a\u003E\u003C/b\u003E.\u003Cbr\u003E\r\n\u003C/p\u003E\r\n"}},{"organism":"Container.Gapless","id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section/simple/experience_fragment","model":{}}],"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section/simple","model":{}}],"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main/section","model":{}}],"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/main","model":{}},{"organism":"Container.Footer","children":[{"organism":"Breadcrumb.Large","model":{"links":[{"name":"Home","value":"https://www.shell.com/"},{"name":"Who we are","value":"https://www.shell.com/who-we-are.html"},{"name":"Our values","value":"https://www.shell.com/who-we-are/our-values.html"},{"name":"Shell Global Helpline","value":"https://www.shell.com/who-we-are/our-values/shell-global-helpline.html"},{"name":"Shell responsible disclosure policy","value":"https://www.shell.com/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy.html"}]},"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/footer/breadcrumb"},{"organism":"Container.Raw","ref":"https://www.shell.com/_jcr_content/root/footer/inherited.model.json","id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/footer/inherited","model":{}}],"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content/root/footer","model":{}}],"id":"/conf/shell/settings/wcm/templates/base/structure/jcr_content/root","model":{}}],"model":{"title":"Shell responsible disclosure policy","text":"Shell Information Risk Management - Shell responsible disclosure policy","links":[{"name":"canonical","value":"https://www.shell.com/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy.html"},{"name":"errorUrl","value":"https://www.shell.com/error.html"},{"name":"hierarchy","value":"en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy"},{"name":"homeTitle","value":"Shell Global"},{"name":"homeUrl","value":"https://www.shell.com/"},{"name":"locale","value":"en-GB"},{"name":"title","value":"Shell responsible disclosure policy | Shell Global"},{"name":"textDirection","value":"ltr"},{"name":"template","value":"base"},{"name":"contentPath","value":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy"},{"name":"externalDisclaimerText","value":"Shell plc Legal Disclaimer\r\n\r\nYou are now leaving the Shell global website.\r\n\r\nThe link you have selected will direct you to a website that is not controlled by Shell plc or any member of the Shell Group. Accordingly, neither Shell plc nor any member of the Shell Group endorses, adopts, certifies or otherwise validates the information and material contained on the linked website. This includes its sponsor and any policies, activities or services offered on the site, by any advertiser on the site or linked to the site.\r\n\r\nThank you for visiting the Shell global website."},{"name":"themeMode"},{"name":"lastModified","value":"2024-12-24T20:06:28.432Z"},{"name":"dateModified","value":"2025-10-22T00:00Z"},{"name":"adobeAnalyticsUrl","value":"https://scmetrics.shell.com/b/ss/shell.amidala.nativeimplementation.poc/0"},{"name":"themeName","value":"base"},{"name":"themePath","value":"/etc.clientlibs/amidala/clientlibs/theme-base"},{"name":"themeCss","value":"/etc.clientlibs/amidala/clientlibs/theme-base.ACSHASHb291465fc8d3c7bcefde74d34044b698.css"}]},"id":"/content/shell/corporate/global/en_gb/who-we-are/our-values/shell-global-helpline/responsible-disclosure-policy/jcr_content"}