Last updated: 2026-05-19

Vulnerability Disclosure Policy

Found a security issue in Vupiy? Thank you for taking the time to tell us. This policy explains how to report responsibly, what we commit to, and what we ask of you.

This policy is published in line with RFC 9116 and the UK NCSC Vulnerability Disclosure Toolkit. We do not currently operate a paid bug bounty programme; we credit researchers on our Hall of Fame with consent.

1. Our commitment to you

If you act in good faith under this policy, we will:

  • Not pursue any legal action against you, including under the Computer Misuse Act 1990, for security research carried out under the terms of this policy.
  • Treat your report confidentially and respect any reasonable request for anonymity.
  • Acknowledge your report within 3 UK business days.
  • Triage the report and tell you our initial assessment within 10 UK business days.
  • Keep you informed of progress, discuss reasonable disclosure timing with you, and credit you on our Hall of Fame (with your consent) once the issue is fixed.

2. In scope

This policy applies to security issues affecting:

  • vupiy.co.uk and all *.vupiy.co.uk subdomains we operate (including app, api, hmrcapi, document, clientapi, status)
  • Vupiy's mobile applications (where published)
  • Vupiy's public REST APIs (where documented)
  • Our security.txt, DNS configuration, TLS/SSL configuration, and email authentication (SPF, DKIM, DMARC)

3. Out of scope

The following are not covered by this policy. Please do not test them under the safe harbour:

  • Third-party services we connect to (e.g., HMRC sandbox, Stripe, Open Banking providers, Cloudflare, our cloud host) — report to that provider directly under their own disclosure policy
  • Social engineering of our staff, partners, customers, or contractors
  • Physical attacks against our offices or our staff
  • Denial-of-service (DoS / DDoS), brute-force, or load-testing attacks
  • Findings from automated scanners without a working proof of impact
  • Missing security headers without a demonstrated exploit
  • Self-XSS, clickjacking on pages with no sensitive actions, or banner / version disclosure
  • Reports about software end-of-life or outdated library versions without a corresponding exploit
  • Vulnerabilities affecting only outdated browsers (older than the current Chrome / Firefox / Safari / Edge minus one major version)
  • Use of test accounts or customer accounts you do not own (even with consent — please use our test environment instead)

4. How to report

Send your report by one of:

Please include in your report:

  • A clear description of the issue and where you found it (URL, parameter, screen)
  • Step-by-step instructions to reproduce, including any payload
  • The impact: what an attacker could do if this issue were exploited
  • Your name and a way to contact you (email is fine; we will not share this without your consent)
  • Optionally, a suggested fix or mitigation

You do not need a Vupiy account to report an issue. If we need to reproduce against a test account, we will provide one.

5. What we ask of you

  • Minimise data exposure. Only access the data necessary to demonstrate the issue. Stop as soon as you have proof. Do not download bulk personal data.
  • Do not modify or delete data belonging to Vupiy or our customers.
  • Do not publicly disclose the issue until we have had a reasonable opportunity to fix it. The typical fix window is 90 days; we will agree a timeline with you on triage.
  • Comply with UK law, including the Computer Misuse Act 1990 and UK GDPR. The safe harbour in clause 1 does not apply to activity outside this policy.
  • Do not extort. Do not condition disclosure on payment.
If you accidentally cause damage or access personal data of others while researching, stop, tell us immediately at [email protected], and we will work with you in good faith.

6. Severity and timing

We use the CVSS v3.1 framework internally to assess severity. Our target fix windows are:

  • Critical: 7 calendar days
  • High: 30 calendar days
  • Medium: 60 calendar days
  • Low: 90 calendar days

These are targets, not guarantees. Some issues require coordinated disclosure with HMRC or other parties, which may extend timing — we will tell you if that is the case.

7. Recognition

We don't run a paid bounty programme today. We do credit researchers on our Hall of Fame page (with your consent and your preferred name). We may launch a bounty programme in the future; if so, prior reporters in scope will be considered.

8. PGP / signed reports

If you prefer to encrypt your report, please email [email protected] for our current public key. We do not publish a key by default to avoid stale-key pitfalls.

9. Governing law and disputes

This policy is governed by the laws of England and Wales. Any dispute arising from the operation of this policy will be subject to the exclusive jurisdiction of the courts of England and Wales. Nothing in this policy creates a contractual relationship between you and Vupiy.

10. Updates to this policy

We may update this policy. The "Last updated" date at the top of this page is authoritative. We will not retroactively change the terms applicable to a report you have already submitted under a previous version.

11. Thank you

If you take the time to find a security issue and report it to us responsibly, you are making Vupiy and its customers safer. We appreciate that.