Report a security vulnerability

Purpose of this Policy

Next Payments Pty Ltd ABN 59 160 985 106 (NEXT/We/Us/Our)is committed to implementing appropriate information technology and security measures to protect its systems and data in accordance with the rules set out in this Responsible Disclosure Policy (Policy).

We encourage you to inform us about any security vulnerability or cyber threat you identify that affects us, subject to the rules below.

NEXT acknowledges the important role that responsible security researchers or our IT staff play in identifying vulnerabilities so that affected organisations can address them quickly and efficiently.

The following rules apply to your disclosure of a security vulnerability (Security Vulnerability Disclosure/Report)to us.

Please read the entirety of this Policy carefully about your rights and the terms and conditions of NEXT in relation to the report you made or are about to make. We consider every report properly and seriously.

‍

Entities covered by this Policy

Entities covered by this Policy are as follows:

1.    This Policy applies to Gobsmacked Loyalty Pty Ltd ABN 60 098 218 216 (Gobsmacked); and NEXT (can also be referred to as NEXT and related entities).

2.     Both NEXT and Gobsmacked are Australian Financial Services (AFS) Licence Holders operating in the payment services and technology industry. NEXT’s AFSL number is 474743. Gobsmacked’s AFSL number is 444609, and both have Authorised Representatives duly appointed.

‍

‍

Security vulnerabilities covered by this Policy

Security vulnerabilities within the scope of this Policy can be defined as follows:

3.    A security vulnerability that could allow an attacker to compromise the availability, integrity, or confidentiality of NEXT and related entities, for example, payment service products and/or payment service technology, and/or payment services software, all are within the scope of this Policy.

4.    You may report to us under this Policy any security issues of which you become aware or notice, relating to our payment service technology that we use to provide to our clients and/or business partners. However, you are not authorised to actively look for such issues or potential issues without reasonable belief or evidence of such belief.

5.    You are authorised to look for and report to us, in accordance with this Policy any security vulnerabilities that affect any other payment service companies or technology systems operated by other payment service providers or by a third party in Australia.

6.    You are not authorised by this Policy to look for security vulnerabilities that affect NEXT and related entities, and/or any third party, except as stated above.

‍

Report of Security Vulnerability Disclosure to NEXT

‍

7.    You can report a security vulnerability disclosure to NEXT by completing the online form below.

‍

8.    In your submission, you must provide the following essential information:

A.    A short description of the vulnerability.

B.    Details of the systems that are affected by the vulnerability including potential failure of our system/service/software/product.

C.   Details of the security impact of the vulnerability.  How could an attacker exploit it in detail?

D.   Instructions on how NEXT can reproduce or verify the vulnerability.

E.    Any suggestions you have about how to fix the vulnerability? How soon NEXT should fix it and why?

F.    Any other relevant information to assist us in exploring the security vulnerability in our system/service/software/product.

‍

9.    If you identify a security vulnerability you must not exploit it, including for any person’s gain or the detriment of NEXT and related entities and/or any other person.  Instead, you should describe in your submission the “proof of evidence and relevant concept” as to how the vulnerability could be exploited by an attacker. A mere suggestion or opinion without evidence may not be adequate for us to investigate further about an attacker. We may also ask you for more information and/or evidence as we investigate along the way about any potential attack or exploitation.

‍

10.  We will endeavour to acknowledge your report promptly within 3 business days. If we consider the vulnerability material enough to make changes to our systems or practices, we will aim to let you know when we have done so.

‍

11.  We encourage you to provide us with your full name and contact details.  Unless otherwise required by law or by a regulator’s official request we will keep this information private and confidential.

‍

Confidentiality Requirement

12.  You must not disclose a security vulnerability you report to us to any other person, except to the extent:

A.    you are required by law and/or are compelled by a court order to do so;

B.    the vulnerability comes into the public (online/internet)domain other than due to your breach of this obligation; or;

C.   we provide our prior written consent to you.

‍

Queries

13.  If you have any queries about this Policy or how it applies, please complete the online form below.  If in doubt, please kindly ask us to avoid any unintentional breach of this Policy.

14.  NEXT will collaborate with you in any way possible to assist with your queries and we expect you to collaborate with us in good faith throughout the entire investigation process.

15.  If you engage in unlawful or unethical behaviour, we will stop liaising with your queries immediately.

‍

Changes to this Policy

16.  NEXT may review and/or amend this Policy from time to time or when the regulation or law requires us to make necessary amendments. We may also decide to revoke this Policy at any time.

17.  NEXT may assign a dedicated contact or liaison person for the online queries and/or reports you made to us to resolve the(potential) vulnerability issues properly and efficiently.

  This version of this Policy is dated 1 March 2024.

‍

‍