Responsible disclosure policy

Maintaining secure and private services is important for us and our customers. Being 'secure' is unattainable for any connected systems and issues inevitably occur. If you discover a security issue, we would like to know about it so we can take steps to address it as quickly as possible so that we can better protect our clients and systems.

We operate a Responsible Disclosure policy which lays out the guidelines for reporting issues. We believe Responsible Disclosure is the industry’s best practice, and we recommend it as a procedure to anyone researching security vulnerabilities.

Not an invitation to scan

We do not invite scanning of our network unless we have entered in to an agreement permitting this. Unauthorised scans and investigations may cause automated blocking of services which costs engineer time and customer disruption.

Reporting a security problem

Should you discover a problem, use our contact page to advise us as soon as possible. Please provide a method for us to contact you should we require more information.

We ask you to give us a minimum of 30 days to resolve the issue before publicising the reported issue.

If you have followed this Responsible Disclosure policy, we will not pursue legal action, and we will work with you as we resolve the issue.

We do not consider configuration issues such as SPF, DMARC, data entry field validation, error pages such as 404 as in scope of this policy.