Vulnerability Disclosure Policy for economit.co.uk

Introduction

At economit.co.uk, we are committed to ensuring the security and privacy of our users. We value the contributions of security researchers and the broader community in helping us identify and address potential vulnerabilities in our systems, applications, and services. This Vulnerability Disclosure Policy outlines the process for submitting security vulnerability reports and how we handle such disclosures.

Scope

This policy applies to all services, applications, and infrastructure owned and operated by economit.co.uk, including:

  • The website hosted at economit.co.uk and its subdomains.

  • Web applications and APIs provided by economit.co.uk.

  • Any other services explicitly branded as economit.co.uk.

Out-of-scope systems include third-party services not directly managed by economit.co.uk. Please refer to the respective third-party providers for their vulnerability disclosure policies.

Guidelines for Security Researchers

We encourage responsible vulnerability research and disclosure. To ensure a productive collaboration, please adhere to the following guidelines:

  1. Do Not Cause Harm: Avoid actions that could disrupt our services, compromise user data, or negatively impact our users or systems.

  2. Respect Privacy: Do not access, modify, or share user data or sensitive information unless explicitly required to demonstrate a vulnerability.

  3. Act in Good Faith: Conduct research in a manner consistent with applicable laws and ethical standards.

  4. Avoid Public Disclosure: Do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate the issue.

How to Report a Vulnerability

To report a security vulnerability, please send an email to info@economit.co.uk with the following details:

  • A detailed description of the vulnerability, including the affected system or service.

  • Steps to reproduce the issue or a proof-of-concept (if applicable).

  • The potential impact of the vulnerability (e.g., data exposure, service disruption).

  • Your contact information for follow-up communication.

  • Any additional information that may assist in understanding or mitigating the issue.

We strongly prefer reports submitted via email to ensure secure and direct communication. Please do not share sensitive details over public channels.

Our Commitment

Upon receiving a vulnerability report, economit.co.uk will:

  1. Acknowledge Receipt: We will confirm receipt of your report within 3 business days.

  2. Investigate Promptly: Our security team will assess the reported vulnerability and prioritise remediation based on its severity and impact.

  3. Communicate Progress: We will keep you informed of our progress, including timelines for remediation, where feasible.

  4. Coordinate Disclosure: We aim to resolve reported vulnerabilities within 90 days. Once the issue is resolved, we will work with you to determine an appropriate time for public disclosure, if applicable.

  5. Recognise Contributions: With your consent, we may publicly acknowledge your contribution in our security acknowledgments or hall of fame.

Safe Harbor

economit.co.uk will not pursue legal action against security researchers who adhere to this policy, act in good faith, and comply with applicable laws. We consider responsible vulnerability research to be a valuable contribution to our security efforts.

Exclusions

The following activities are explicitly prohibited under this policy:

  • Performing denial-of-service (DoS) attacks or other actions that disrupt service availability.

  • Accessing, modifying, or destroying user data without explicit permission.

  • Social engineering attacks (e.g., phishing) targeting economit.co.uk employees or users.

  • Physical attacks or attempts to access our physical infrastructure.

  • Automated scanning or testing that generates excessive traffic or impacts system performance.

Rewards

At this time, economit.co.uk does not offer monetary rewards for vulnerability reports. However, we greatly appreciate the efforts of security researchers and may offer public recognition, swag, or other non-monetary acknowledgments at our discretion.

Contact

For all vulnerability reports or questions about this policy, please contact us at security@economit.co.uk.

Updates to This Policy

We may update this policy periodically to reflect changes in our practices or legal requirements. The latest version will always be available at economit.co.uk.

Thank you for helping us keep economit.co.uk secure!

Last updated: June 2, 2025