Vulnerability disclosure policy

Air New Zealand places the highest priority on the security and privacy of our information systems to safeguard our customers' and employees' data.
Last updated 16 April 2025, 8:47am

The vulnerability disclosure policy has been established to provide security researchers with clear guidelines for responsibly conducting vulnerability discovery activities on Air New Zealand's systems and websites. It also outlines the procedures for submitting identified vulnerabilities to Air New Zealand.

This page specifies the systems and types of research covered under this programme, the process for submitting vulnerability reports, and the requirements for the disclosure of submitted vulnerabilities.

If you identify a security vulnerability within our information systems, please refer to the information provided below for guidance on submitting a disclosure.

Scope

The following websites and their subdomains are in scope for the vulnerability disclosure policy programme.

List of websites in scope

If you discover a domain that is not included in the above list but you believe it may be owned by Air New Zealand, please send your query to infosec-disclosure@airnz.co.nz. We will inform you if the domain is in scope of the vulnerability disclosure policy programme.

Out of scope

The following are out of scope for the vulnerability disclosure policy programme:

  • Findings from physical testing, such as office access. For example, open doors, tailgating (the passage of an unauthorised user behind an authorised user), or compromising access cards.

  • Attacks requiring physical access to a user's device.
  • Findings derived primarily from social engineering. For example, phishing or whaling.
  • Findings from applications or systems not listed on the above list of websites.
  • UI and UX bugs and spelling mistakes.
  • Network level Denial of Service (DoS/DDoS) weaknesses.
  • Previously known vulnerable libraries without a working proof of concept.
  • Content spoofing or text injection.
  • Reports from automated tools or scans without accompanying demonstration of exploitability.
  • Missing best practices. For example, missing security headers, missing CAPTCHA, or insecure certs.
  • Insecure SSL or TLS issues. For example, ciphers or certificates.
  • Any form of unauthorised penetration testing of our services.
  • Obtaining personal information or potentially threatening the safety of our staff or customers.
  • Destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to Air New Zealand.

Guidance

These guidelines are designed to help both you and Air New Zealand when you find a security issue with our systems. If you're doing security testing, please:

  • Make every effort to avoid actions that:
    • Breach the privacy of individuals.
    • Affect the performance of a system for our customers.
    • Disrupt or damage any "live" systems.
    • Destroy or corrupt Air New Zealand data.
  • Perform research only within the scope as set out above.
  • Delete and don't share any confidential information or personal information you might have obtained.
  • Keep any security issues you discover within our systems confidential between yourself and Air New Zealand until we have the opportunity to fix them.
  • Don't commit any illegal activity.
  • Don't breach any relevant laws in the country of your origin and from where the security testing is taking place.

Reporting a vulnerability

Please report your findings to infosec-disclosure@airnz.co.nz. By emailing or providing a disclosure to us, you agree that we can use your submission and its contents to ensure the security, integrity, and reliable operation of our technology and business.

If you're uncomfortable sending any of the following content by email, you may mask or redact sensitive content. If you want to encrypt data using the PGP key, email infosec-disclosure@airnz.co.nz and ask for one.

Please include the following information in your disclosure:

  • Clear description and evidence of the vulnerability, such as logs, screenshots, or web responses.
  • Detailed steps to reproduce the issue.
  • Any platforms, operating systems, or versions that are relevant.
  • Any relevant IP addresses or URLs.
  • Any supporting evidence you've collected, such as logging or tracing.
  • Your assessment of the exploitability or impact of the issue.
  • Your name, role (if appropriate) and contact details.

You can find our security.txt file here.

What to expect

Upon receiving a vulnerability disclosure, we will take the following steps:

  1. Acknowledgment: We will confirm receipt of your disclosure and provide you with a tracking number for reference. Our goal is to acknowledge all disclosures within three business days, excluding public holidays.
  2. Clarification and communication: We will engage with you to address any queries we have regarding your disclosure.
  3. If you act in good faith and follow this policy, then we make the following commitments to you:
    1. The information that you share with us as part of this process will be kept confidential within Air New Zealand and our directly contracted suppliers; and
    2. Your contact details won't be shared with third parties, without your permission; and
    3. We will not initiate legal action against people attempting to find vulnerabilities within our systems who adhere to this policy.