We value responsible security research and customer feedback. If you believe you have found a potential security vulnerability in any of Gallagher Animal Management solutions, please tell us so that we can get it fixed. We provide a clear reporting path through this form, commit to timely communication, and offer good-faith safe harbour for following these guidelines.  

If a reported security vulnerability affects a third-party product used in our solutions, we will coordinate with that vendor while protecting your information. 

Definitions 

Vulnerability – functional behavior of a product or service that violates an implicit or explicit security policy. 
Disclosure – act of initially providing vulnerability information to a party that was not believed to be previously aware. 
Coordination – set of activities including identifying and engaging stakeholders, mediating, communication and other planning in support of vulnerability disclosure. 
Remediation – change made to a product or service to remove or mitigate a vulnerability. 
Advisory - a document or message meant to inform others about a vulnerability including, if possible, how to identify and remediate vulnerable systems. 

The Vulnerability Disclosure program applies to Gallagher Animal Management software solutions. 

Methods of Disclosure 

Our preference is that you disclose a security vulnerability privately to us by completing this form. We may choose to publish the details of the vulnerability; however, this is done at the discretion of Gallagher Animal Management, not the security researcher or customer. This means that some vulnerabilities may never be made public.  

At this point, we do not accept anonymous reports; we value collaboration. Keep in mind that anonymity limits engagements in disclosure discussions. 

What you should not do 

Gallagher Animal Management considers the following activities either potentially harmful, or not helpful in the security of our specific products. 

• Social Engineering, including phishing. 
• Brute-force attacks. 
• Denial of Service (DoS/DDoS) attacks. 
• Accessing data or information that does not belong to you.  
• Destroying or corrupting data or information that does not belong to you. 
• Publishing or sharing with others vulnerabilities or any personal information that you have obtained. We do not want others to try to exploit the vulnerability.  
• Sharing or publishing any information you have obtained from Gallagher Animal Management during this process as that could cause harm to individuals and may be considered a breach and could expose you to liability. 
• Tampering with Gallagher hardware. 
  
  

Out-of-scope vulnerability types 

Gallagher Animal Management considers the following vulnerability classes as out of scope: 

• Verbose error messages without significant impact 
• Issues related to unsupported browser versions 
• Insecure/Missing HTTP request methods 
• Use of known-vulnerable libraries in non-exploitable contexts 
• Clickjacking without demonstrated impact 
• SPF/DKIM/DMARC record issues  
  
  

What to tell us 

Please provide as much information as you can in this form. If you need assistance, please email us on am.techsupport@gallagher.com. 

In the form, please include: - 

• Your contact details (name, email address, organisation, role-customer/security researcher). 
• Please include clear, step-by-step instructions and any relevant proof-of-concept (PoC) code that demonstrates how to reproduce the vulnerability. If additional details are needed to verify or replicate your finding, we will contact you for clarification 
• Any unusual/not considered normal operation observations prior to incident  
• Affected product and versions 
• Affected configurations 
• If personal information was exposed 
  • Redact any personal information before reporting. 
  • What happened with any personal information exposed. 
• Whether the vulnerability has been shared with others or published. 
• Any references or further reading that may be appropriate. 
• Recommendation on how the issue could be mitigated or resolved. 
• Assistance in retesting the issue once a fix has been implemented. 
   

What we will do 

 

• We will acknowledge receipt of your email within 5 working days. 
• Review the report you have filed and validate your finding. 
• We will contact you via the email address you provided to share the results of our investigation and any actions we have taken. Where you have provided resolution steps, we will review and take them into consideration as part of our response. 
• Prioritise fixes based on severity and risk; some fixes may depend on third parties and take longer. We will provide periodic updates until closure.  
• Consider initiating assistance in retesting the issue once a fix has been implemented (if necessary). 
• We do not currently operate a monetary vulnerability disclosure program; where a report is novel, in-scope and you’ve followed these guidelines, we may offer a token of appreciation(swag) subject to availability and applicable laws.  
  
  

Safe harbour 

 

• Gallagher Animal Management recognises and appreciates the important role played by independent security researchers and our customers in helping to keep our solutions secure.  
• We will not pursue legal action or refer to law enforcement solely for reporting a security vulnerability to us, provided you act in good faith, comply with this guideline and avoid harm or disruption. 
• When you report a security vulnerability to us, we will initiate the steps outlined in the ‘What we will do’ section. During this disclosure process, we will manage all sensitive information on a highly confidential basis and follow the need-to-know principle internally. Similarly, we ask you to: - 
  • Maintain strict confidentiality. Do not share the vulnerability with anyone else unless we’ve given you written approval. If you believe someone else needs to be informed, email am.techsupport@gallagher.com and legal@gallagher.com and an authorised Gallagher Information Security Manager or Legal team member will be in touch with you.   
  • If you need to clarify these guidelines, please email us on am.techsupport@gallagher.com 
  • Please understand that if the security vulnerability involves another vendor that is not Gallagher Animal Management, we cannot authorise security research on their behalf or waive their rights; that third-party may determine whether to pursue legal action.  
  • Comply with all applicable laws and regulations. 
  • Please contact us on am.techsupport@gallagher.com before engaging in conduct that may be inconsistent with or not covered by this guideline. We may withhold safe-harbour protection for activities that are malicious, reckless, out-of-scope, or non-compliant and reserve the right to determine whether a violation of this guideline is accidental or in good faith.  
    
    

Privacy and data protection 

We will handle any personal information in your report in line with our privacy statement and applicable privacy and data protection laws.  Where required by law, we will notify the relevant authority and affected individuals 

Changes to this guideline 

We may update this guideline. When we do, we’ll post the new version on this page.  

If you want to clarify anything, please email us at am.techsupport@gallagher.com.