Skip to content
Prepared beats reactive Incident Response Activation & Advisory for UK SMEs
Security contact[email protected]
Download IR checklist Book a readiness call
Policy · Security research · Coordinated disclosure

Report vulnerabilities with clarity and good faith.

DefendVista welcomes responsible security research. If you believe you have identified a vulnerability in a DefendVista-owned system or service, this policy explains how to report it safely, what we will do with your report, and the standards we expect researchers to follow. Good-faith reporting is encouraged and handled with discipline.

Report a vulnerability General contact →
01

Purpose

DefendVista values the work of security researchers and the wider security community. This policy explains how to report vulnerabilities discovered in DefendVista systems or services, how we will handle reports, and the standards we expect researchers to follow. It is intended to create a clear, low-friction path for responsible disclosure that protects both the researcher and the people whose data and operations depend on our systems.

02

Scope

This policy applies to vulnerabilities identified in systems owned and operated by DefendVista Ltd, including:

  • defendvista.com and associated subdomains
  • defendvista.co.uk and associated subdomains
  • Publicly accessible web applications and services operated directly by DefendVista Ltd

Third-party services, platforms, hosted software, and infrastructure providers used by DefendVista are outside the scope of this policy and should be reported directly to the relevant vendor or provider. If you are uncertain whether a system is in scope, describe it in your email and we will confirm before you proceed.

03

How to report a vulnerability

Send all responsible disclosure reports by email to [email protected]. This is the only reporting channel. Reports sent via the general contact form may be delayed.

To help us investigate efficiently, please include where possible:

  • A clear description of the issue and its potential impact
  • The affected system, page, URL, endpoint, or asset
  • Step-by-step instructions to reproduce the issue reliably
  • Proof of concept, screenshots, request samples, or log extracts where safe to provide
  • Your contact details for follow-up questions
Before you send

Please do not include sensitive personal data, authentication credentials, private keys, or large data extracts in your report unless they are strictly necessary to demonstrate the issue. If you have accessed personal data during research, stop, do not store or copy it further, and note in your report what was accessed and why. We will handle this with discretion.

04

Research guidelines

We ask researchers to act in good faith and minimise risk to users, data, and service availability. The distinction that matters is between demonstrating that a vulnerability exists and exploiting it beyond that point.

You should
  • Act lawfully and in good faith throughout
  • Stop testing once you have sufficient evidence of the issue
  • Avoid accessing, copying, or storing data beyond what is necessary to confirm the vulnerability
  • Give us a reasonable opportunity to investigate and remediate before any public disclosure
  • Contact us if you are uncertain whether a planned test is in scope before proceeding
You must not
  • Access, alter, download, copy, or delete data that does not belong to you
  • Exploit a vulnerability beyond what is necessary to confirm it exists
  • Carry out denial-of-service, resource exhaustion, or service degradation testing
  • Use automated scanning that materially affects service availability
  • Attempt phishing, social engineering, physical intrusion, or credential attacks against DefendVista personnel or systems
  • Pivot from DefendVista systems into third-party systems or shared infrastructure
The principle behind the guidelines

Security is a discipline, not a performance. These guidelines exist to protect the people who use our systems and the evidence trail that matters in the event of a real incident. A researcher who confirms a vulnerability exists and reports it promptly has done the job. Going further creates risks that are not in anyone's interest.

05

Our disclosure process

When we receive a report, we follow a consistent process regardless of severity:

  1. 1We aim to acknowledge receipt within 3 to 5 working days. If you have not received acknowledgement after five working days, follow up to the same address.
  2. 2We assess whether the report is valid, in scope, and reproducible. We may contact you for clarification or additional detail during this stage.
  3. 3Where a report is confirmed, we triage and prioritise remediation based on risk, operational impact, and any dependencies on third-party systems or suppliers.
  4. 4We will update you on remediation progress where appropriate, particularly for issues that require extended timelines.
  5. 5We ask that researchers avoid public disclosure until remediation is complete or a disclosure timeline has been agreed between the researcher and DefendVista. We aim to work to timelines that are reasonable for both parties.

Response and remediation times will vary depending on severity, complexity, and whether coordination with third parties is required. We will communicate transparently where timelines are extended.

06

Safe harbour

Where research is carried out in good faith and in line with this policy, DefendVista will treat the activity as authorised for the purposes of this disclosure process. We do not intend to pursue legal action solely in relation to a report submitted under these conditions.

This safe harbour applies only to activity that is consistent with this policy. It does not extend to actions that cause harm, service disruption, or privacy violations; to data access beyond what is strictly necessary to confirm the vulnerability; or to activity targeting third-party systems, infrastructure, or individuals. If you are uncertain whether a planned action falls within scope, ask before you proceed.

In plain terms

If you find something, report it promptly and in good faith, and do not go further than confirming the issue: you have nothing to worry about. We are a cybersecurity firm. We understand how this works and we treat responsible researchers accordingly.

07

Recognition and bug bounty

DefendVista does not currently operate a bug bounty programme and does not guarantee financial rewards for reported vulnerabilities.

We do appreciate responsible reporting and may acknowledge valid disclosures publicly or privately at our discretion, subject to the researcher's preference. If you would prefer to remain anonymous, please say so in your report and we will respect that.

08

Policy contact and reporting address

All security vulnerability reports should be sent to: [email protected]

For general business enquiries, service questions, or anything that is not a security vulnerability report, please use the contact page. Mixing security and general enquiries in the same inbox creates handling delays for both.

For active incidents affecting your own organisation, call the incident intake line: +44 (0)33 0122 4448

09

Last updated

March 2026. This policy may be updated from time to time. Material changes will be noted here with a revised date.