Last updated on 23-06-2026

Vulnerability Disclosure Policy

Tata Steel Limited (hereinafter referred to as “We”, “Us”, “Our”) takes the security of our systems and the protection of our data seriously. We value the security community and believe that responsible disclosure of vulnerabilities helps keep our users, customers, and systems safe.
If you believe you have found a security vulnerability in any of our systems, we want to hear from you. This policy explains how to report it, what you can expect from us, and the rules that keep your research protected.

1. Scope

This policy applies to: tatasteel.com.

The following are not authorised for testing:

• Any domain or system not listed above, including third-party services we use but do not operate.
• Physical security of our offices, facilities, or staff.
• Social engineering of our employees, contractors, customers, or vendors.
• Denial-of-service (DoS/DDoS) or resource-exhaustion testing.
• Automated scanning that degrades service.

If you are unsure whether something is in scope, please ask us first before testing.

2. Rules of engagement

To qualify for safe harbour under this policy, you must:

• Make a good-faith effort to avoid privacy violations, data loss, and service interruption.
• Only interact with accounts you own or are explicitly permitted to access.
• Stop immediately and report without copying or retaining data if you encounter personal or confidential information.
• Use a vulnerability only to the minimum extent needed to confirm its existence.
• Not publicly disclose the issue until we have had a reasonable opportunity to remediate it.
• Comply with all applicable laws.

3. Findings that usually do not qualify

The following generally do not qualify as reportable vulnerabilities on their own, unless you can demonstrate a realistic security impact:

• Reports from automated tools or scanners without a working proof of concept.
• Missing security headers without a demonstrated exploit.
• Clickjacking on pages with no sensitive actions.
• Self-XSS or issues requiring unlikely user interaction.
• Rate-limiting concerns without demonstrated impact.
• Disclosure of public or non-sensitive information.

4. How to report

Please email [email protected] with the following details:

• The type of vulnerability and the affected asset (URL, endpoint, parameter).
• Step-by-step instructions to reproduce it.
• A proof of concept (screenshots, request/response captures, or a short video) where possible.
• The potential impact as you understand it.
• Any suggested remediation, if you have one.

You may report anonymously. If you would like credit for your finding, please let us know how you would like to be acknowledged.

5. What you can expect from us

• Acknowledgement of your report within 3 business days.
• A triage assessment within 10 business days, including whether we have validated the issue.
• Regular updates on remediation progress for valid findings.
• Credit for your contribution, with your permission, once the issue is resolved.

This is a coordinated disclosure programme; we do not currently offer monetary rewards.

6. Safe harbour

We consider good-faith security research and vulnerability disclosure conducted in accordance with this policy to be authorised. We will not pursue or support legal action against you for accidental, good-faith violations of this policy. This protection applies only to the extent that your activities comply with this policy and with applicable law. If a third party initiates legal action against you for activity conducted in accordance with this policy, we will take steps to make known that your actions were authorised.

7. Disclosure

We are committed to remediating valid vulnerabilities promptly. We ask that you give us a reasonable period — typically 90 days from acknowledgement — to resolve the issue before any public disclosure, and that you coordinate the timing and content of any public disclosure with us.

8. Questions

If any part of this policy is unclear, or you would like authorisation for testing that falls outside the scope above, please contact us at [email protected] before proceeding.