Vulnerability mailbox of the Iberdrola Group

At the Iberdrola Group we are committed to strengthening the security of our systems and the protection of our assets. Through this form we receive feedback from the community of security researchers that contribute to securing products and services for all the companies of the Iberdrola Group (Iberdrola S.A. subholding companies -Iberdrola España, S.A.U.; Scottish Power Ltd.; Avangrid, Inc.; Neoenergia, S.A.; Iberdrola México, S.A. de C.V. and Iberdrola Energía Internacional, S.A.U.- and all its subsidiary companies).
Incident search and analysis cannot be used as a pretext for unauthorised entry into a system or improper access to its data, as any activity must comply with current legislation. Particular care should be taken to:

  • Not to carry out activities that may interrupt or degrade Iberdrola's services and/or systems.
  • Avoid testing any service provided by a third party
  • Using social engineering techniques, which are prohibited
  • If access is gained to a system, account, or user data, stop the activity immediately and inform administrators.
  • Do not modify or destroy data that does not belong to you.
  • Any information obtained during the investigation should be securely deleted after the vulnerability has been reported.

Typical Out of Scope

A vulnerability will only be within scope if it can be demonstrated that there would be a real impact to Iberdrola, S.A. 
The following types of vulnerabilities are considered low impact and would be marked as Out of Scope if sent:

  • Clickjacking/UI Redressing.
  • Incomplete or missing SPF/DMARC/DKIM records.
  • Account/E-mail enumeration using brute-force attacks.
  • Directory structure enumeration (unless the attack reveals information that may be of specific interest to an attacker).
  • Vulnerabilities affecting users of outdated browsers, plugins or platforms.
  • Descriptive or verbose error messages without proof of exploitation or obtaining information that may be considered sensitive.
  • Low impact information disclosures.

NOTICE - If what you report is not a vulnerability related to the group's websites and has to do with the operation of your energy supply or any other problem, you can find the corresponding mailbox at the following link: Contact channels: Custommer services

We have a contact mailbox where our suppliers can report possible cybersecurity incidents. You can find all the information here [PDF].