Report a security concern

At OVO Energy, we take the security of our systems and the protection of our customers' data seriously. We value the work of the security community and believe that responsible disclosure of security vulnerabilities helps us maintain a secure environment for everyone.

If you believe you have found a security vulnerability in an OVO Energy product or service, please let us know. We will investigate all legitimate reports and do our best to fix the issue as quickly as possible.

Report a vulnerability
hero image

Reporting a Vulnerability

Please submit your findings to us via https://ovo.tines.com/pages/d7e2f76cb5216ff95b0c6c4509524b5b.

When reporting a vulnerability, please include:

  • A detailed description of the vulnerability.

  • Steps to reproduce the issue (proof-of-concept scripts or screenshots are helpful).

  • The potential impact of the vulnerability.

  • Your contact details so we can keep you updated on our progress.

Please do not include sensitive information (such as personal data or credentials) in your initial report. If we need more detail, we will provide a secure way to share it.

Our Commitment

If you follow the guidelines below when reporting an issue to OVO Energy, we commit to:

  • Acknowledge receipt of your report in a timely manner.

  • Investigate the report and provide an estimated timeframe for resolution.

  • Notify you when the vulnerability has been fixed.

  • Not take any legal action against you or ask law enforcement to investigate you, provided you comply with this policy.

Guidelines for Responsible Disclosure

To protect our customers and systems, we ask that you:

  • Avoid Impact to Users: Do not access, modify, or delete data belonging to OVO Energy customers. Only interact with accounts you own or have explicit permission to test.

  • Avoid Service Disruption: Do not perform Denial of Service (DoS) attacks, spamming, or social engineering (phishing) against OVO Energy employees or customers.

  • Maintain Confidentiality: Do not disclose details of the vulnerability to any third party or the public until OVO Energy has confirmed the issue is resolved.

  • Stay Within Scope: Only test systems and services owned by OVO Energy. This policy does not grant permission to test third-party services used by OVO Energy.

Rules of Engagement

While we encourage security research, the following activities are strictly prohibited:

  • Physical security attacks against OVO Energy offices or data centres.

  • Social engineering of OVO Energy staff, contractors, or customers.

  • Exploitation of a vulnerability beyond the minimum "proof of concept" required to demonstrate the risk.

  • Theft or exfiltration of OVO Energy data.

Bug Bounty Program Status

Please note that OVO Energy does not currently offer a paid bug bounty program. We are unable to provide financial rewards for vulnerability disclosures at this time. However, we are immensely grateful for the assistance of the security community in keeping our customers safe.

Please read the instructions fully prior to reporting any vulnerabilities to ensure that you understand and can act in compliance with policy. This includes further guidance on common good practice among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law or cause OVO to be in breach of any of its legal obligations.

If you have a general issue with your OVO account, please chat to us via webchat instead.