Vulnerability Disclosure Policy

Introduction 

At PRS for Music, we take the security of our systems and the protection of our members’, employees’ and licensees’ data seriously. We welcome reports of potential security vulnerabilities to help us keep our services safe. This Vulnerability Disclosure Policy sets out how security researchers and members of the public can responsibly disclose issues they discover. 

Scope 

This policy applies to: 

  • All publicly accessible PRS for Music websites, online services, and applications. 
  • Security vulnerabilities that could impact the confidentiality, integrity, or availability of PRS for Music systems or data. 

This policy does not authorise any activity that would cause harm to PRS for Music, its members, or its systems. 

Out of Scope 

The following are not considered in scope: 

  • Denial of service attacks (e.g., stress tests, automated flooding). 
  • Spam or social engineering against PRS for Music staff or members. 
  • Physical security vulnerabilities. 
  • Third-party services not operated by PRS for Music. 

How to Report 

If you believe you have discovered a security vulnerability, please email cyberalerts@prsformusic.com with the following details: 

  • A description of the vulnerability and its potential impact. 
  • Step-by-step instructions or proof-of-concept code (if available). 
  • Any relevant screenshots or logs. 

We ask that you: 

  • Report vulnerabilities promptly. 
  • Avoid accessing or downloading unnecessary amounts of data. 
  • Do not publicly disclose the issue until PRS for Music has confirmed it is resolved. 

What You Can Expect 

  • An acknowledgement of your report within 5 business days. 
  • Regular updates on the status of your disclosure. 
  • Notification when the vulnerability has been remediated. 

Safe Harbour 

If you act in good faith, avoid causing harm, and comply with this policy when reporting security issues, PRS for Music will not initiate legal action against you. 

Rewards 

PRS for Music does not operate a bug bounty programme. We do not offer financial rewards or compensation for vulnerability reports. Your contribution will still be greatly valued, and with your consent, we may credit you publicly for helping us improve security. 

Back to top
switching account

Switching your account...