We are aware that scammers are impersonating international employment consultants offering visas for fake positions at Silver Fern Farms. We do not use international employment consultants. If you are interested in working for Silver Fern Farms, you should only apply for roles via our careers website or our verified accounts on Seek.co.nz, Trademe.co.nz or LinkedIn.
X

VENDOR HUB

Vulnerability Disclosure Reporting Policy

Introduction

Silver Fern Farms values the security of our services and are committed to maintaining a robust and secure environment for our customers. This policy is intended to give security researchers clear guidelines for vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. 

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Our Request 

Only conduct testing according to the scope defined in this policy.

  • Do not break the law. 

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

  • Notify us as soon as possible after you discover a real or potential security issue. 

  • Provide reports of potential security issues that meet the below criteria.

  • Give our teams a reasonable time to investigate and resolve the issues you have reported – this may include time for us to liaise with third party service providers. 

  • Do not change any data on our systems or services.

  • Only access the data that is necessary to demonstrate a vulnerability. 

  • Do not disrupt our systems or services by using high-intensity or destructive scanning tools or techniques, nor attempt Denial of Service.

The following test methods are NOT authorised (EXCLUDED): 

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.

  • Credential brute forcing against authentication systems. 

  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.

Bug Bounty 

Unfortunately Silver Fern Farms does not have a paid bug bounty program. However, we are grateful to security researchers who responsibly investigate and report security vulnerabilities. 

Silver Fern Farms are committed to prompt correction of vulnerabilities. Please refrain from sharing or publishing information about any discovered vulnerabilities for 90 calendar days from receipt of acknowledgment of your report. We reserve the right to request further time before you make any published disclosure. 

Scope

This policy applies to security issues found on Silver Fern Farms systems and services, or data you suspect to have been compromised and may constitute a security incident. This policy applies to the following domains; 

  • silverfernfarms.co.nz

  • silverfernfarms.com 

  • silverfernfarmer.co.nz

  • silverfernfarms.coop 

  • sffcalf.co.nz

  • silverfernfarmer.co.nz 

  • silverfernfarms.co.nz

  • sfftest.com 

  • silverfernfarms.com

  • silverfernfarm.com 

  • silverfernfarm.co.nz

  • sfflab.co.nz 

  • sff-vpn.net

  • silverfernfarms.kiwi 

  • ppcs.co.nz

  • silverfernfarms.de 

  • silverfernfarms.co.uk

  • tracesilverfernfarms.com 

  • sffcalf.com

  • sffcalf.nz 

  • sff.co.nz

  • apps-silverfernfarms.com 

  • bestcutsbestrecipes.co.nz

  • silverfernvenison.com 

  • silverfernbeef.co.uk

  • silverfernbeef.com 

  • silverfernmeats.com

  • silverfernfarms.gr 

Only conduct vulnerability testing against domains which have a security.txt file in their /.well-known/ directory. Sub-domains are in scope if their parent domain is in scope (i.e. has a security.txt file)Silver Fern Farms develop and maintain multiple internet-accessible systems or services. We ask that any vulnerability reporting be conducted on the systems and services covered by the scope of this document. 

This vulnerability disclosure policy does not apply to third-party services, applications, or software used within our environments. Vulnerabilities identified in such third-party components should be reported directly to the responsible vendor or project maintainers. 

If you are unsure of the scope or think that a system that is not in scope needs testing, please contact security@silverfernfarms.co.nz to discuss before testing. 

Please do NOT report the following security issues: 

  • Do not submit a high volume of low-quality reports.

  • Volumetric vulnerabilities are not in scope, any form of Denial of Service attack is prohibited. 

  • Reports of non-exploitable vulnerabilities or that our services are configured in a manner that you believe could be improved e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc) or sub-optimal email related configuration (SPF, DMARC etc).

  • TLS configuration weaknesses, for example weak cipher suite support or the presence of TLS 1.0 support are not in scope. 

Reporting a Vulnerability

If you believe you have found a security issue that meets the scope detailed above, please send your report to us using security@silverfernfarm.co.nz. Initial reports should include a brief description of the type of vulnerability and the system or service this has been found in (e.g. the website address or application name). 

Once a report is received, you will receive an acknowledgement reply from our security team with a reference number and a request for further information. Acknowledgements are usually provided within 24 hours but may be issued up to three working days from your submission.

A detailed technical description should then be supplied including: 

  • The website, IP, or specific page where the vulnerability can be seen.

  • Further information about the vulnerability, including its potential for exploitation and potential consequences if exploited. 

  • Steps to reproduce the vulnerability, including screenshots or screen capture videos.

Researchers may submit reports anonymously. We may contact you to request clarification on reported security issues, or other technical details to aid in the accurate identification and/or remediation. 

If you believe that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Feedback 

Please feel free to provide us any feedback or suggestions with regards on this policy. You can contact us via email at security@silverfernfarms.co.nz.