https://www.rea-group.comSecurity

Security

Online safety and security are of utmost importance at REA and we value the work undertaken by the research community. REA has partnered with Bugcrowd to manage our Bug Bounty Program, which provides a structured way for security researchers to report vulnerabilities in our products and services.

REA Bug Bounty Program (Bugcrowd)

The identification and disclosure of security vulnerabilities helps REA protect the safety and privacy of everyone using REA’s services. REA has partnered with Bugcrowd to provide monetary rewards for eligible vulnerability submissions based on severity and impact.

**Submit vulnerabilities to our Bugcrowd program at: **https://Bugcrowd.com/engagements/rea-mbb-og

Please observe all rules and good behaviour listed in the Bugcrowd scope document. Happy hacking!

Guidelines for Security Research

We require that researchers:

Adhere to the in-scope, out-of-scope, good behaviour, and terms outlined in our [https://Bugcrowd.com/engagements/rea-mbb-og](public Bug Bounty Program) (whether the researcher chooses to submit via the platform or not)

Use the identified communication channels to report vulnerabilities:

Bugcrowd, or

As defined in the Contacting Security Directly section below.

Keep information about the discovery of any defects or vulnerabilities confidential between yourself and REA until sufficient time has passed to resolve the matter, but no less than 90 days from the date of notification of the vulnerability to REA.

Provided that you follow the above we commit to:

Not pursue legal action related to your discovery and reporting of the vulnerability (in relation to any non-compliance with these guidelines, we reserve all of our legal rights);

Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 5 working days upon receipt of submission); and

Reward your submission with a monetary bounty.

ONLY applicable to submissions made via https://Bugcrowd.com/engagements/rea-mbb-og.

No monetary rewards are provided for email submissions.

Recognise your contribution on our [https://www.rea-group.com/about-us/news-and-insights/blog/responsible-vulnerability-disclosure-program-hall-of-fame/](Security Researcher Hall of Fame), if:

You are the first to report a new issue and we made a change based on your report.

The submission was not made via Bugcrowd.

Contacting Security Directly

For all vulnerability submissions please contact us via the [https://Bugcrowd.com/engagements/rea-mbb-og](Bugcrowd platform) where we are the most active, and we will strive to triage your submissions as soon as possible.

If you must contact us directly you can do so via the following email: mailto:[email protected]. Submissions made via email will NOT be eligible for rewards so please use Bugcrowd first.

Your report must include the following details:

Description of the location and potential impact of the vulnerability;

A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and,

Your name/handle and a link for recognition in our Hall of Fame.

By reporting a vulnerability disclosure to us you consent to us collecting your researching name and/or handle for the purpose of publishing your details in our responsible disclosure hall of fame.

Our [https://www.realestate.com.au/legal/privacy-policy](Privacy Policy) further explains how we collect, use and disclose personal information and how to access, correct or complain about the handling of personal information.

(If you do not wish to have your details published, please let us know at time of disclosure.)

We request that you encrypt your report by using our PGP key and that you delete any data as soon as it is no longer reasonably required.

If you are unsure whether your actions are In line with our policy, please contact our security team for guidance on mailto:[email protected].