Vulnerability Disclosure Policy

Effective Date: February 18, 2025

News Corp looks forward to working with the security community in an effort to keep our businesses and customers safe.  If you are a security researcher and have identified a suspected security vulnerability in newscorp.com, we appreciate your help in disclosing it to us in a coordinated and responsible manner.  If you report a valid security vulnerability in compliance with this Responsible Disclosure Policy (“Policy”), News Corp will endeavor to collaborate with you to understand, validate and resolve the issue. 

The intent of this program is to encourage coordinated and responsible disclosure.  Unless required by law or law enforcement authorities, News Corp does not intend to initiate a lawsuit or law enforcement investigation against a security researcher who discovers and reports a security vulnerability in accordance with this Policy.  Violation of any of the Policy rules can result in legal action.  NewsCorp reserves all legal rights in the event of any noncompliance. 

Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party, including a third-party application that is integrated with newscorp.com, that third party may determine whether to pursue legal action. We cannot and do not authorize security research involving other entities.

Your participation in this program is voluntary and subject to the terms and conditions set forth in this Policy.  By submitting reports or otherwise participating in this program, you agree that you have read and will follow this Policy.

News Corp reserves the right to change or modify the terms of this program or terminate this program at any time.

How to report a security vulnerability:

Our vulnerability disclosure program is managed by Bugcrowd. Submissions are subject to Bugcrowd’s Standard Disclosure Terms.

Please send us an email at [email protected] and include relevant information listed under Bugcrowd’s Report a Bug page. We will forward your email to Bugcrowd.

Scope
This policy applies only to this newscorp.com site.

Any domains not expressly listed above, are excluded from scope and are not authorized for testing.

Program Rules
Please note our disclosure program does not provide any monetary or non-monetary reward.

  • Vulnerabilities must be disclosed to us privately with a reasonable time to respond. We will seek to respond quickly to your report.  You are not permitted to disclose a vulnerability or otherwise share details about a vulnerability with a third party prior to resolution without News Corp’s express written permission. 
  • We will not publicly disclose the identity of any researcher without consent, except where required by law.
  • You must include detailed information with reproducible steps. We request that researchers provide sufficient technical details and background necessary for us to identify and validate reported issues.
  • You must comply with News Corp’s Terms of Use and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.
  • You are prohibited from engaging in any activity that would be disruptive, damaging or harmful to News Corp, its businesses or its customers. This includes, without limitation:
    • social engineering techniques (e.g., phishing);
    • posting, transmitting, uploading, linking to, sending, or storing any malicious software;
    • testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, or other forms of duplicative or unsolicited messages;
    • Denial of Service (DoS) and Distributed Denial of Service (DDoS)-based attacks.
  • You are prohibited from engaging in any privacy violations, trading stolen user credentials, or destroying data.  
  • You may not access data except to the extent minimally necessary to identify a vulnerability, and use of such data must be limited to that which is necessary to identify and report the vulnerability. You are prohibited from compromising data that is not your own. 
  • You are prohibited from engaging in any activity that results in you, or any third party, accessing, acquiring, altering, copying, storing, sharing, transferring, deleting or otherwise processing customer or employee personal information, or News Corp confidential information.  If you inadvertently engage in any such activity, please stop testing and contact us immediately at [email protected].  All copies of such information must be securely returned to News Corp and purged upon submitting the vulnerability to News Corp.  
  • You must securely delete News Corp information that may have been downloaded, cached, or otherwise stored on systems used to perform the research.
  • You may only use or interact with your own accounts for testing purposes. Do not attempt to compromise or otherwise gain access to an account you do not own.
  • Automated vulnerability scanning tools are strictly prohibited.
  • Do not exploit a vulnerability you discovered.  Use a proof of concept only to demonstrate an issue.
  • You must abide by the program scope. This program does not offer rewards for out-of-scope targets or excluded submission types (see “Targets” and “Excluded Submission Types” sections above). 
  • As a condition of participation in this program, you waive any rights to the confidentiality of the submitted work and, further, grant News Corp an irrevocable, worldwide, royalty-free, perpetual transferable, sub-licensable license to use the submitted research, as well as any materials submitted therewith, for any purpose, and waive claims against News Corp based on News Corp’s license or the rights granted herein.
  • This program is not an offer of employment, nor of a contractual relationship between News Corp and any other party. 

Please submit a report to us or request additional testing permission before causing damage or engaging in conduct that may be inconsistent with this Policy. If you inadvertently cause a violation of this program Policy, please report the incident immediately to [email protected].