Coordinated Vulnerability Disclosure Policy




Our policy is based on the NZITF Disclosure Guidelines.


We are committed to protecting our community and users. If you are a security expert or security researcher and you believe you have discovered a security-related issue with our websites, network, CPE, or other systems, we appreciate your help in reporting the issue to us responsibly.


We ask the security research community to give us an opportunity to correct issues and vulnerabilities before publicly disclosing them. If you give us reasonable time to respond to your report before making any information public, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you, or ask law enforcement to investigate you.

Contact Information

The best method for contacting our security team is via email. You may encrypt your email to us with PGP if you wish to protect the contents of your email. We are also open to anonymous reports, so long as we have a valid method of corresponding with you (e.g. an anonymous email relay service).


2degrees Security Team
ID: E24A7B33, Fingerprint: CC3E DDBF AFD1 C03A FA10 25B8 7C84 5646 E24A 7B33

Our public key can be obtained from most well-known public keyservers such as:

You can use this key to encrypt and secure messages to us.


To start using it, you'll need to install an OpenPGP/GPG software on your computer. Below you'll find a list of possible solutions for your operating system:

OS X   https://ssd.eff.org/en/module/how-use-pgp-mac-os-x

Linux   https://ssd.eff.org/en/module/how-use-pgp-linux

Windows   https://ssd.eff.org/en/module/how-use-pgp-windows-pc

iOS   https://itunes.apple.com/app/ipgmail/id430780873?mt=8

Android   https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain


Please import the public key into your local OpenPGP Key-Manager.


We would like to thank the following researchers:

(2020-10-10) Pritam Dash - Discovered exposed tomcat default configuration scripts on a 3rd party run website.

LinkedIn Website


(2020-08-25) Rahad Chowdhury - Identified Cross-Site Scripting issue on Homepage

LinkedIn Website


(2020-08-13) Aaditya Kumar Sharma - Identified Cross-Site Scripting issue on one of the brands contact webpages

LinkedIn Twitter


(2019-08-25) Shivam Pravin Khambe – Identified a Clickjacking Vulnerability on our websites
LinkedIn  twitter


(2018-05-29) Abhishek Sidharth - Identified exposed management interface in a customer's environment

Page Class