Skip to content
Prepared beats reactive Incident Response Activation & Advisory for UK SMEs
Security Advisory & Incident Intake+44 (0)33 0122 4448
Download IR checklist Book a readiness call
Security · Responsible Disclosure

Vulnerability Disclosure Policy

DefendVista is committed to the security and integrity of our systems and data. We welcome responsible disclosure of vulnerabilities identified by independent researchers and commit to responding with transparency and without legal threat to good-faith research conducted within this policy.

Last updated: January 2026 Contact: [email protected] Computer Misuse Act 1990 in scope
Security & Trust hub → PGP public key → Acknowledgements →
Section 01

Scope

This policy applies to security vulnerabilities affecting systems, services and infrastructure operated directly by DefendVista Ltd:

  • Public-facing DefendVista websites and domains (defendvista.com and subdomains)
  • Infrastructure and services operated directly by DefendVista
  • Cloud-hosted environments under DefendVista's administrative control

This policy does not authorise testing of:

  • Third-party systems, services, or infrastructure not operated by DefendVista
  • Customer or partner environments, unless explicitly agreed in writing for a specific engagement
  • Physical security controls, premises, or access systems
  • Social engineering: phishing, pretexting, impersonation of staff or customers
  • Denial-of-service or volumetric attack testing of any kind
Scope ambiguity
If you are unsure whether a target is in scope, contact [email protected] before testing. We would rather answer a clarification question than deal with the fallout of out-of-scope testing.
Section 02

Authorised testing: good-faith research

We permit security testing carried out responsibly and proportionately. To qualify as good-faith research under this policy, testing must:

  • Use the minimum level of interaction necessary to confirm a vulnerability exists
  • Cease immediately once a vulnerability has been identified and confirmed
  • Avoid any privacy violation, data access, data modification, or service disruption
  • Not affect the availability, integrity, or confidentiality of live production systems
  • Not involve accessing or retaining any personal data, client data, or internal system data

Security research should prioritise risk identification, not exploitation or demonstration of impact beyond what is needed to confirm the issue is real.

Section 03

Prohibited activities

The following are explicitly prohibited under this policy and may result in legal action regardless of intent:

  • Denial-of-service attacks (DoS or DDoS), load testing, or any action intended to degrade service performance
  • Automated scanning at volumes that affect website availability or server performance
  • Exploitation of a vulnerability beyond what is necessary to confirm it exists
  • Accessing, copying, modifying, exfiltrating, or retaining any personal data, client data, or internal business data
  • Persistence on systems: maintaining access beyond the point of vulnerability confirmation
  • Lateral movement: using access in one system to pivot to others
  • Privilege escalation beyond what is required to demonstrate the reported issue
  • Testing against customer or third-party environments not operated by DefendVista
Legal boundary
Activities that fall outside this policy may constitute offences under the Computer Misuse Act 1990 and related legislation. This policy does not grant blanket permission for security testing: it sets out the conditions under which good-faith research will not be met with legal action.
Section 04

How to report a vulnerability

Please report vulnerabilities by email to [email protected]. We strongly encourage PGP-encrypted reports for sensitive findings. Our public key is available at /pgp-key and via /.well-known/security.txt.

A useful report includes:

  • A clear description of the vulnerability and the type of issue (e.g. XSS, IDOR, misconfiguration)
  • The affected URL, system, service, or component
  • Steps to reproduce, including any specific conditions, inputs, or account states required
  • Your assessment of the potential impact if the vulnerability were exploited
  • Screenshots or sanitised logs as supporting evidence (no personal data, no live credentials)
What to include and what to leave out
Include only the minimum evidence needed to demonstrate the issue is real. Do not include personal data, customer data, live credentials, or any information that was accessed as part of testing. If you are unsure what to include, err on the side of less detail and we will ask follow-up questions.
Section 05

What to expect from us

When a report is submitted in good faith and within the terms of this policy, DefendVista commits to:

  • Acknowledge receipt of your report within a reasonable timeframe
  • Investigate and validate the reported issue
  • Provide an initial assessment of severity and likely remediation path
  • Prioritise remediation based on risk and operational impact
  • Keep you informed of progress where ongoing communication has been established
  • Coordinate public disclosure timing with you, where disclosure is agreed

DefendVista will not pursue legal action against researchers who comply with this policy and conduct testing responsibly within its scope. Security is a discipline, not a confrontation.

Section 06

Disclosure and recognition

We operate a coordinated disclosure model. We ask that you:

  • Do not publicly disclose vulnerability details until we have had a reasonable opportunity to investigate and remediate
  • Agree a disclosure timeline with us before any public communication
  • Notify us promptly if you become aware that the vulnerability has been disclosed or exploited by a third party

Where disclosure is agreed, we are happy to coordinate the timing and acknowledge your contribution. Eligible researchers who report valid, in-scope vulnerabilities in good faith may be listed on our Security Acknowledgements page. Acknowledgement is at our discretion and is not a guarantee for all reports.

We do not currently offer monetary bug bounties. We reserve the right to introduce a formal bug bounty programme in the future.

Section 07

Legal notice and governing law

This policy operates under the laws of England and Wales. It does not grant permission for actions that are unlawful under UK law, including but not limited to offences under the Computer Misuse Act 1990, the Data Protection Act 2018, or the UK General Data Protection Regulation.

All testing must remain within lawful and ethical boundaries at all times. Acting within this policy does not provide immunity from laws in other jurisdictions. Researchers are responsible for ensuring their activities comply with the laws applicable in their own country or region.

This policy is reviewed and updated periodically. The version in effect at the time of any testing applies.

Related security pages