Vulnerability Disclosure Policy

A&O Shearman is committed to the safety and security of client and firm data and the privacy of our users.

Green Optimize logo
Vulnerability Disclosure Policy

This Vulnerability Disclosure Policy (VDP) explains how to report potential security vulnerabilities affecting A&O Shearman websites, applications, and other online services, and how we will engage with you when you do so. The VDP applies to suspected or confirmed cyber vulnerabilities related to A&O Shearman websites or online services that you have discovered and want to report to us. We value the efforts of security researchers who discover and report such vulnerabilities to us. We do not offer monetary or other rewards for reported vulnerabilities.

How to report

If you believe you have discovered a security vulnerability in our websites or online services, report it to this email: reportvulnerabilities@aoshearman.com

Include the following:

  1. Website URL and IP address of vulnerability.
  2. A description of the vulnerability observed.
  3. Step-by step details of how to reproduce the vulnerability observed. These must be benign and non-destructive to allow us to verify and triage the vulnerability and check for duplicate reports or otherwise known vulnerabilities. Please include relevant request/response samples, timestamps (UTC), the tools used, proof‑of‑concept code or screenshots where helpful, and your testing source IPs.
  4. Your contact details. These are optional if you wish to be informed of our response. Reports may be submitted anonymously.

Please do not include any personal data beyond your own contact details. If, in verifying a vulnerability, you encounter personal or confidential data, stop testing immediately, do not copy or share the data, and notify us in your report.

Our response

  • We aim for a transparent disclosure process:
  • We will acknowledge your report within five business days.
  • We will attempt to triage and provide a remediation timeline within ten business days. Timelines are targets and may vary depending on severity, complexity, and third‑party dependencies, but we will communicate material changes.
  • We will aim to update you regarding our progress. We request that you keep all communications regarding the vulnerability confidential, to ensure mutual trust and the flexibility to work with us towards the resolution of the vulnerability.Upon resolution, we will inform you and may request confirmation of the fix.
  • We request that public disclosures be coordinated to occur simultaneously.

Important notes

Nothing in this policy permits activity that would breach the law, client confidentiality, professional secrecy, or contractual obligations, nor does it permit access to data you are not authorised to access. When conducting security research, you must comply with all applicable laws and regulations.

All retrieved data must be securely deleted within one month of the vulnerability being resolved or as otherwise required by data protection law. In most cases we will ask you to delete any non‑public data immediately upon reporting, and to confirm deletion in writing once remediation is complete.

Only interact with data or accounts you own or have permission to access. Do not attempt to access client data, privileged information or internal systems not explicitly in scope.

You must not modify data in our systems or services, share retrieved data, or demand financial compensation for vulnerability disclosure, as we do not offer monetary rewards. Requests for payment or gifts in exchange for non‑disclosure are not appropriate and will not be considered.

Testing must be limited to what is necessary to confirm a vulnerability’s presence. You must not use high intensity, invasive or destructive techniques to find vulnerabilities

You must not attempt any type of denial of service or otherwise disrupt our systems and services.

You must not submit reports related to non-exploitable vulnerabilities or common best practice configurations. By way of example, the following are normally out of scope and should not be reported unless you can demonstrate specific exploitability or impact:

  • Missing SPF/DMARC records
  • Clickjacking on non‑sensitive pages
  • Missing security headers that do not lead to a direct exploit
  • Version disclosure or banner information; rate‑limiting or brute‑force findings without evidence of credential stuffing risk
  • Use of deprecated TLS ciphers where strong alternatives are also offered
  • Reports based solely on automated scans without a clear, validated impact

You must not socially engineer (including phishing, impersonation of A&O Shearman staff) or physically attack or interfere with A&O Shearman infrastructure. Do not attempt credential stuffing, password spraying, or account takeover on live user accounts. Do not pivot to third‑party or client systems.

Test methods that are not authorized include:

  1. any activity that degrades service, including DoS/DDoS or resource‑exhaustion
  2. introduction of malware
  3. establishing persistence, lateral movement or privilege escalation
  4. high‑volume automated scanning that could affect availability
  5. use of stolen credentials or access tokens

This policy is intended to support responsible vulnerability disclosure good practice. It is not permission to act in contravention of the law or in any manner that may cause A&O Shearman or its partners to be in breach of legal obligations. Nothing in this policy waives any rights or remedies of A&O Shearman, creates any obligation to pay a reward, or creates a client or agency relationship. We may update this policy at any time by posting a revised version. For information about how we handle personal data provided in connection with a report, please see our Privacy Notice.