Security Vulnerability Disclosure Policy

External Vulnerability Reporting Policy

We take the security of our systems, products, and services seriously. If you believe you have discovered a security vulnerability, we encourage you to report it to us responsibly.

We are committed to working with security researchers, customers, and the wider community to verify and remediate legitimate security issues in a timely manner.

Reporting a Vulnerability

Please report suspected vulnerabilities by email to:

security@onebigcircle.co.uk

For sensitive information, please encrypt your report using our PGP public key.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEajT4bxYJKwYBBAHaRw8BAQdAiX0tWc78BHLz+ERJqbbMP1tUSIrYmEezFjz0
29V9VE+0Sk9uZSBCaWcgQ2lyY2xlIEx0ZCAoU2VjdXJpdHkgRGlzY2xvc3VyZSBL
ZXkpIDxzZWN1cml0eUBvbmViaWdjaXJjbGUuY28udWs+iK8EExYKAFcWIQTH141r
mV9poVRRSIjXInlew2gBcAUCajT4bxsUgAAAAAAEAA5tYW51MiwyLjUrMS4xMiww
LDMCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQ1yJ5XsNoAXDZcAEA
rUlHnCrWLKygY9Tem1laxdvV3k3+6VyTAj0wvdEAb8UA/Akz0aRhSSYcDt7h/hYZ
2ZNoLHcjIPEQ4/xoRoaID9oPuDgEajT4bxIKKwYBBAGXVQEFAQEHQHfjEBwTQb98
4V9bSGZjVpLwLsdGeWqdGW56V7qbAEJkAwEIB4iUBBgWCgA8FiEEx9eNa5lfaaFU
UUiI1yJ5XsNoAXAFAmo0+G8bFIAAAAAABAAObWFudTIsMi41KzEuMTIsMCwzAhsM
AAoJENcieV7DaAFwQMUBAO5NymHeALkQ3bnp7wdTmw8/TZ/piKPOP3OfyaGeVla+
AQDgCVe08bEBnPahZWlgAmnBQngXu1dyrAL4LnoGM0YiDw==
=054g
—–END PGP PUBLIC KEY BLOCK—–

What to Include in Your Report

To help us investigate efficiently, please include as much of the following information as possible:

  • Description of the vulnerability
  • Affected product, service, version, or URL
  • Steps to reproduce the issue
  • Proof-of-concept code or screenshots, where applicable
  • Potential impact assessment
  • Any suggested remediation
  • Your contact details for follow-up communication
Our Commitment

When you submit a vulnerability report in good faith, we will:

  • Acknowledge receipt of your report within 5 business days
  • Investigate and validate the issue
  • Keep you informed of remediation progress where appropriate
  • Work to remediate confirmed vulnerabilities within a reasonable timeframe based on severity and operational impact
  • Coordinate disclosure responsibly where public disclosure is appropriate
Scope

This policy applies to:

  • Public-facing web applications
  • APIs and online services
  • Customer portals
  • Cloud-hosted infrastructure operated by us
  • Software products and associated update mechanisms

Third-party services not operated by us are outside the scope of this policy.

Safe Harbour

We will not pursue legal action against researchers who:

  • Act in good faith
  • Avoid privacy violations, data destruction, service disruption, or exploitation beyond what is necessary to demonstrate the vulnerability
  • Do not access, modify, or retain customer data unnecessarily
  • Comply with applicable laws and regulations
  • Provide us a reasonable opportunity to remediate the issue before public disclosure

Activities such as social engineering, phishing, physical attacks, spam, denial-of-service attacks, or destructive testing are not authorised.

Contact

For all security-related enquiries:
security@onebigcircle.co.uk

 

Get In Touch

We would love to hear from you.

Contact