Computer Security Incident Response Team (CSIRT) and Responsible Disclosure Policy

If you believe an Equinor information resource or information system is at risk, please contact Equinor’s Computer Security Incident Response Team via email at csirt@equinor.com . See below for our Responsible Disclosure Policy and PGP key.

If you believe an Equinor information system represents a threat to yourself or your organisation, please email abuse@equinor.com .

Responsible Disclosure Policy

If you discover a vulnerability in one of our systems, we would like to know about it so that we can address it as quickly as possible. Please do the following:

• Email your findings to csirt@equinor.com . Encrypt your findings using our PGP key (see below) to prevent the information from falling into the wrong hands
• Include enough information for us to reproduce the problem
• Do not take advantage of the vulnerability, for example by downloading more data than is necessary to demonstrate the vulnerability or making changes to the information system
• Do not reveal the vulnerability to others until it has been resolved

Equinor’s Computer Incident Response Team will review your submission. If the vulnerability is valid, mitigation will be performed in accordance with the company’s internal procedures. You will be notified when the problem has been resolved.

We will not take legal action towards those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy.

Any person’s private information will be treated according to Privacy and Data Protection in Equinor .