-
Your shopping cart is empty!
MENU
Your shopping cart is empty!
Security Disclosure Policy
The aim of this page is to explain what to do if you find a BUG or VULNERABILITY within this web application.
Whilst not a legal document, it does outline intentions that may relate to law.
In Short: Please play nice, we’ll also play nice, and we use platforms used by 1000,000’s of people so there will be plenty of recognition, but we're a small company, so not so much $$$ sorry.
CONTACT
It will be dealt with asap. If you would like a public key, just ask.
INDEMNIFICATION
Where the law permits we will not disclose or prosecute if you do not cause any interruption to business and only discover limited ‘proof of concept’ amounts of data. Please bear in mind that according to GDPR if any personally identifiable information is discovered we are required to report this to the ICO. We don’t need to report you personally, but we would be asked ‘how do you know’!
BOUNTIES
We are a small company, so large financial rewards are unfortunately not possible. However we can certainly do you a great deal on any of our products! Maybe you need to change the colour of your seats in your car? We’ll send you the needed items for free (up to a maximum value including postage costs of £100). This is not per bug or per issue, if you find many bugs/problems in one instance sorry we can't multiply the bounty. Also, if we are already working on a fix for a known problem, we will let you know that someone else has already found that, and so no reward is available for that. Unfortunately due to the nature of this, we can't keep a public list of any security problems we're working on to fix, so there is no way to know this up front.
FURTHER PROOF
If you'd like to be able to make 'breaking' changes or other activities that could possibly interrupt business, then please request we clone the site and anonymise the data. This activity would only take 1-2 days and provide you with a sandbox to operate on.
DISCLOSURE
We would like to be able to co-ordinate disclosure. That is if you could give us time, perhaps as much as 1-2 weeks to resolve the problem/bug/vulnerability prior to going public.
We appreciate that the platforms we use are open source and used by 100,000’s of people and companies, as such disclosing the problem will in fact impact many more companies and people than just us. As such disclosure to the maintainers of those platforms is not only permitted, but encouraged. But please do inform us in addition and do so without direct reference to our site/systems.
THANK YOU
I hope by the tone and words contained in this policy, it comes across as a friendly, and polite notice. We appreciate any feedback that we can make to adjust or amend these.
A family developer friend helped construct this with assistance from https://titanous.com/posts/security-disclosure-policy-best-practices .
