Lumen VDP

Vulnerability Disclosure Policy:

Lumen cares deeply about maintaining the trust and confidence that parties place in us. Accordingly, a top priority at Lumen is the security of our systems and the services they may support. Lumen applies a rigorous process to continually evaluate and improve our vulnerability response practices, including encouraging the disclosure of identified vulnerabilities under this Vulnerability Disclosure Policy. If you are a security researcher and have discovered a security vulnerability in one of our systems, we encourage you to disclose it to us in a responsible manner and in accordance with this Policy. We will not engage with security researchers who do not follow the terms of this Policy. Lumen will validate and remediate vulnerabilities in accordance with our commitment to security and privacy. Lumen will not take legal action against researchers who discover and report security vulnerabilities to us in good faith and in accordance with this Policy.

This Policy applies to Lumen and its affiliate companies, including CenturyLink and Quantum Fiber.

We encourage security researchers to share the details of any suspected vulnerabilities with the Lumen Information Security Team by completing and submitting the form at the bottom of this page. A vulnerability is an error, flaw, mistake, failure, or fault in a computer program found within Lumen’s publicly accessible online environment that affects the security of a device, system, network, or data.

---

We ask the following of you when conducting vulnerability research and submitting vulnerabilities to Lumen:

• Report identified vulnerabilities to us immediately, as timely identification of security vulnerabilities is critical to mitigating potential risks;
• Cooperate with us while we review the submission to determine if the finding is valid and has not been previously reported;

• Include as much of the below information as possible to help us better understand the nature and scope of the reported issue:

  • Details necessary to identify the impacted system
  • Type and/or class of vulnerability
  • Step-by-step instructions to reproduce the vulnerability
  • Proof-of-concept or exploit code
  • Potential impact of the vulnerability
  • Refrain from disclosing the identified vulnerability to anyone else for a reasonable period of time so that we may conduct validation and implement associated remedies for the vulnerability;

---

Do not engage in any of the following activities:

• Accessing, downloading, or modifying data residing in any system or account that does not belong to you
• Executing or attempting to execute any “Denial of Service” attack
• Executing or attempting to execute any social engineering attacks
• Posting, transmitting, uploading, linking to, sending, or storing any malicious software
• Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
• Testing in a manner that would damage or degrade the operation of any Lumen systems
• Testing third-party applications, websites, or services that integrate with or link to Lumen systems
• Testing that may violate any applicable law or impact the security or integrity of any personal or confidential information

This Policy and the Vulnerability Disclosure Program administered by Lumen is subject to change or cancellation at any time without notice. This Policy is for informational purposes only and it does not create any binding obligation on Lumen or any legal relationship between Lumen and anyone who submits a vulnerability.

---

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. To qualify for a P1 or P2 classification a major product or environment must be impacted. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.