Vulnerability Disclosure Policy
Purpose
This policy covers vulnerabilities in Exa Networks Ltd’s systems, services, and products that are explicitly listed in the “Scope” section below. Our goal is to work together with the security community to identify and resolve security issues in a way that protects our customers, staff, and infrastructure. If you follow this policy when conducting your research, we consider your activities to be authorised and will not pursue legal action against you.
Scope
To ensure clarity and avoid misunderstandings, this policy defines exactly which systems, services and products are considered in scope for vulnerability reporting.
In Scope
This policy applies to all live, production-facing systems, services and products operated directly by Exa Networks Ltd, including:
All websites and subdomains under the exa.net.uk domain.
The Protect & Connect® suite for schools, multi-academy trusts (MATs) and businesses, covering broadband services such as ultrafast leased lines, DarkLight, FTTP, GPON, resilient failover solutions and network infrastructure.
Security products such as SurfProtect® Quantum and Quantum+ content filtering, SurfProtect® Evolution and Evolution+ content filtering, firewalls (physical and virtual), cyber security solutions, antivirus services and the Router for Life offering.
Additional services including VoIP telephony, bespoke WAN networking, colocation, and email and website hosting.
Official APIs, customer portals, online tools (for example, the quote builder and speed checker) and management interfaces operated by Exa Networks Ltd.
Mobile applications published under “Exa Networks Ltd” in official app stores.
Out of Scope
The following are out of scope and must not be tested:
Any third-party services or platforms not owned or operated by Exa Networks Ltd.
Any form of Denial of Service (DoS) or resource exhaustion testing.
Automated vulnerability scanner results without a working, benign proof of concept.
TLS configuration weaknesses without a functional exploit demonstrating real-world impact.
Clickjacking or missing security header reports without evidence of an exploitable impact.
Reporting
If you believe you have found a security vulnerability, please submit your report to us using the below guidance:
Please submit reports in English where possible.
We recommend encrypting your report using our PGP key https://www.exa.net.uk/pgp-key/security.txt before sending to security@exa.net.uk.
To help us triage quickly, please include:
The website, IP address, or application where the vulnerability was found.
The type of vulnerability (e.g., “Cross-Site Scripting (XSS)”).
Step-by-step reproduction instructions with a benign proof of concept.
An assessment of potential impact (e.g., data disclosure, privilege escalation).
What to Expect
After you have submitted your report, we will acknowledge receipt of your report within three working days, provide a triage result within ten working days, and aim to remediate confirmed vulnerabilities within ninety days of triage, keeping you updated at least every thirty days.
Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Reporters are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.
We will notify the Reporter when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
Guidance
You must NOT:
Break any applicable law or regulations.
Access unnecessary, excessive or significant amounts of data.
Modify data in the Exa Networks Ltd’s systems or services.
Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
Disrupt the Exa Networks Ltd’s services or systems.
Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support.
Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
Use human oriented attack factors such as social engineering, ‘phish’ or physically attack the Exa Networks Ltd’s staff or infrastructure.
Demand financial compensation in order to disclose any vulnerabilities.
Use AI to generate the report without verifying the output itself.
You must:
Always comply with data protection rules and must not violate the privacy of the Exa Networks Ltd’s users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
Limit automated testing to no more than 10 requests per second to avoid service disruption.
Securely delete all data retrieved during your research within 7 days of resolution or sooner if required by applicable data protection laws.
Only test against accounts, systems, or data that you own or have explicit permission to use.
You may:
Contact us prior to testing to inform us of your intent so that we can be in touch in case of any disruption and issues.
Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Exa Networks or partner organisations to be in breach of any legal obligations.
If you comply with this policy, we will not initiate or support any legal action against you for security research conducted in good faith. This includes research performed under the UK Computer Misuse Act 1990 or applicable local laws.
This policy follows the principles of ISO 29147 (Vulnerability Disclosure) and ISO 30111 (Vulnerability Handling Processes).
