Responsible Disclosure & Vulnerability Reporting Policy
Effective Date: 4th April 2025
Last Updated: 4th April 2025
1. Our Commitment to Security
At DPA Cloud Services Ltd, we are committed to maintaining the highest standards of security across all of our systems and services. We value the efforts of the security community and welcome responsible disclosure of potential vulnerabilities that could impact the integrity, confidentiality, or availability of our infrastructure or data.
This policy outlines how to report potential vulnerabilities safely and in good faith.
2. What This Policy Covers
This policy applies to potential security issues in:
- Our public-facing websites, client dashboards, and APIs
- Authentication and authorisation flows
- Data access or permission misconfigurations
- Systems wholly owned and operated by DPA Cloud Services Ltd
It does not apply to:
- Third-party tools, providers, or integrations
- Services hosted behind Cloudflare Zero Trust without written authorisation
- Social engineering, denial-of-service attacks, or physical security testing
- Software not developed or maintained by DPA Cloud Services Ltd
Important Limitations
Please do not attempt the following without prior permission:
- Penetration testing of any kind
- Bypassing security controls on live systems
- Using automated scanning tools
- Testing infrastructure protected by Cloudflare or internal systems
Uncoordinated testing may be considered unauthorised access and could result in legal action.
How to Report a Vulnerability
Please send reports to:
- Email: [email protected]
- Alternative: [email protected]
Include:
- A clear summary of the issue
- Steps to reproduce (if safe)
- Affected URL or system name
- Any relevant logs or evidence
- Your contact details or PGP key (optional)
How We Handle Reports
Upon receiving a report:
- We will verify and triage the issue
- We may contact you for more information
- The issue will be resolved internally
- You will be updated on triage and remediation status
Your identity will not be disclosed without permission. Public acknowledgement is optional.
Safe Harbour
We will not pursue legal action against individuals who:
- Act in good faith and follow this policy
- Do not exploit vulnerabilities
- Respect the privacy of others
- Do not intentionally disrupt services
If you're unsure about your actions, please contact us for clarification before testing.
Contact & Further Guidance
For questions about this policy or future testing initiatives:
- Email: [email protected]
- Compliance: [email protected]
We thank you for helping us build a more secure digital ecosystem.