Legal / Security
Responsible Vulnerability Disclosure Policy
Last updated: 10 July 2026
Contact
| Channel | Details |
|---|---|
| Security email | security@privacycoreservices.com |
| Policy URL | https://www.privacycoreservices.com/en/legal/responsible-disclosure |
| security.txt | https://www.privacycoreservices.com/.well-known/security.txt |
In scope
- https://www.privacycoreservices.com and explicitly listed subdomains owned and operated by Privacy Core Services.
- Public website forms, authentication endpoints and interactive tools operated by Privacy Core Services.
- Other assets only where Privacy Core Services has confirmed in writing that they are in scope.
Out of scope
- Third-party products, services, customer systems or partner sites not controlled by Privacy Core Services.
- Social engineering, phishing, impersonation, physical attacks or attacks on staff, suppliers or clients.
- Denial of service, load testing, spam, destructive testing, persistence, malware or resource exhaustion.
- Accessing, modifying, downloading or retaining personal, confidential or client data beyond the minimum necessary to demonstrate the issue.
- Testing that violates another person's rights, terms or systems.
- Reports consisting only of scanner output, missing headers, software version observations or low-impact findings without a credible security consequence.
Rules for good-faith research
- Use the minimum testing necessary to confirm a vulnerability and stop if personal, confidential or client information is encountered.
- Do not exploit a vulnerability beyond proof of concept, create persistence, move laterally, alter data or interrupt service.
- Use accounts and data you own or are authorised to use.
- Report promptly and keep details confidential while we investigate and remediate.
- Securely delete any data obtained accidentally and tell us what was accessed.
- Comply with applicable law and this policy.
What to include in a report
- Affected URL, asset, feature and environment.
- Vulnerability type, impact and realistic attack scenario.
- Clear reproduction steps and a minimal proof of concept.
- Date/time, browser, tool versions and relevant request/response evidence.
- Whether any data was accessed and the immediate steps taken to stop and delete it.
- Your contact details and preferred attribution, or a statement that you wish to remain anonymous.
Our response
| Milestone | Target |
|---|---|
| Acknowledgement | Within 2 business days |
| Initial triage | Within 5 business days |
| Progress updates | Every 10 business days while a validated issue remains open |
| Disclosure coordination | Agree a reasonable publication approach based on severity, remediation and affected users |
We do not currently promise a reward or bug bounty. We may acknowledge helpful researchers with permission, but recognition is discretionary.
Safe harbour
Where research is conducted in good faith, stays within this policy, avoids harm and is promptly reported, Privacy Core Services will not seek civil action or refer the activity for criminal prosecution merely because it involved the good-faith security research described here. This statement does not authorise activity on third-party systems, waive rights of other people or protect conduct that is malicious, reckless, unlawful or outside the policy.