As a world-leading resources company, BHP works to ensure the security of our information systems and the integrity of all data held by us. We value and recognize the role of the Cybersecurity research community and welcome any reports or insights that may help to identify potential vulnerabilities in our information systems.
We endeavour to address each vulnerability report that we receive in a timely manner. While we are doing so, we require that all such reports remain confidential and are not disclosed to third parties or as part of paper reviews or conference submissions. We are comfortable with high-level descriptions of the research to be made available, but not the details of the identified vulnerabilities.
If you discover a potential security vulnerability, please do let us know as soon as possible. We would like to work with you to strengthen the confidentiality, integrity and availability of our systems.
Our Request to you:
- Inform cybersecurity@bhp.com of any findings of potential application vulnerabilities
- Do not attempt to exploit any potential vulnerabilities
- Do not attempt to access, modify or destroy any data
- Do not share details of the issue with others until it has been resolved
- Do not attempt to perform network Denial of Service (DoS or DDoS) test or other tests that impair access to or damage a system or data
- Do not attempt to perform physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing) or any other non-technical vulnerability testing
- Provide sufficient information that will help us to confirm and remediate any identified vulnerabilities Do not use scanners or automated tools to identify vulnerabilities – they are noisy and will produce a lot of false positives.
We Promise to:
Acknowledge the receipt of your potential vulnerability report in a timely manner
Submission Process:
Each vulnerability report submitted to BHP shall be a "Submission." Submissions must be sent to cybersecurity@bhp.com. Where applicable, please include your name, email and mobile number in the potential vulnerability report so that we can contact you for any required clarifications. Please also include the name(s) and email(s) of any other person(s) to whom you may have disclosed the suspected vulnerability.
Please also include as much of the following information as possible:
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
- IP address and/or URL of the subject Service
- Configuration and version of the subject software
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Impact of the issue, including how an attacker could exploit the issue
Please note that we do not provide any form of compensation (including but not limited to monetary compensation or financial benefits) to individuals or organisations for identifying potential or confirmed security vulnerabilities.