Cyber Vulnerability
Disclosure Policy

LAST MODIFIED: JUNE 30, 2022

INTRODUCTION

Pollard Banknote Limited and its subsidiaries (“Pollard” or the “Company”) are leading lottery partners to more than 60 lotteries worldwide, providing high-quality instant ticket products, licensed games, retail merchandising solutions, and a full suite of digital offerings, ranging from game apps to comprehensive player engagement and iLottery solutions, including strategic marketing and management services.

Together, we are committed to the identification and remediation of cyber vulnerabilities that affect our information technology environments, including our systems and networks, and our digital products and services. The purpose of this policy is to document a process for the reporting of cyber vulnerabilities.

We encourage you to contact us at vulnerabilityreporting@pbl.ca to report potential cyber vulnerabilities in our systems.

LEGAL POSTURE

Pollard will openly accept cyber vulnerability reports and agrees not to pursue legal action against individuals who:

  • Notify us as soon as possible after discovering a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a cyber vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before disclosing it publicly.
  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must:

  • Stop your test immediately.
  • Notify us without delay.
  • Avoid disclosing this data to anyone else.

HOW TO SUBMIT A VULNERABILITY REPORT

We accept cyber vulnerability reports at vulnerabilityreporting@pbl.ca. If a cyber vulnerability is discovered, you must provide a detailed summary of the cyber vulnerability, including the following:

  • Description of the vulnerability and its potential impact.
  • Product, version, and configuration of any software or hardware potentially impacted.
  • Step-by-step instructions to reproduce the issue.
  • Proof-of-concept.
  • Suggested mitigation or remediation actions, as appropriate.

By submitting a cyber vulnerability report, we will presume that you have:

  • Read, understood, and agreed to the guidelines described in this policy.
  • Consented to having subsequent communications stored on Pollard’s information systems.

Personal data submitted in a cyber vulnerability report will not be retained by Pollard, other than contact information used solely for coordination. By submitting a report, you acknowledge that:

  • You have no expectation of payment.
  • You expressly waive any future pay claims against Pollard or its subsidiaries related to your submission.

WHAT YOU CAN EXPECT FROM POLLARD

When you share your contact information with us, we commit to coordinating with you as openly and quickly as possible:

  • Within seven (7) days, we will acknowledge receipt of your report.
  • To the best of our ability, we will confirm the existence of the cyber vulnerability and communicate the steps being taken during remediation, including challenges that may delay resolution.
  • We will maintain open dialogue to discuss issues.

If communication or other issues arise, Pollard may engage a neutral third party to assist in addressing the vulnerability.

ACTIVITIES OUTSIDE THE SCOPE OF THIS POLICY

Pollard does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity, to engage in any security research or vulnerability or threat disclosure activity on or affecting Pollard systems that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or other applicable law, you may be subject to criminal and/or civil liabilities.

MODIFICATION OR TERMINATION OF THIS POLICY

Pollard may modify the terms of this policy or terminate it at any time.

QUESTIONS

Questions regarding this policy may be sent to vulnerabilityreporting@pbl.ca. We also invite you to contact us with suggestions for improving this policy.

© Copyright 2023 Pollard Banknote Limited. All rights reserved.