Security and vulnerability disclosure
Maintaining the security of our network and the data we hold is important to us. We actively endorse and support working with the research and security practitioner community to improve our online security.
We welcome investigative work into security vulnerabilities, carried out by well-intentioned and ethical security researchers.
If you believe you have found a security issue, please send your report to us using [email protected] Initial reports should include a brief description of the type of vulnerability and the system or service this has been found in (e.g. the website address or application name).
Researchers may submit reports anonymously. We may contact you to request clarification on reported security issues, or other technical details to aid in the accurate identification and/or remediation.
We are committed to prompt correction of vulnerabilities. We ask that you refrain from sharing or publishing information about any discovered vulnerabilities for 90 calendar days from receipt of acknowledgment of your report. We reserve the right to request further time before you make any published disclosure.
Regrettably, we can’t offer a paid bug bounty programme. We will, however, make efforts to show our appreciation on our website to security researchers who take the time and effort to improve the security posture of our services.
- A peer review & approval process is in place to ensure the integrity of application code.
- Application security is regularly assessed throughout the development lifecycle. Vulnerability scanning and penetration testing is performed against the application regularly.
- The application does not leak information through verbose error messages.
- The application sanitises input and encodes output in order to mitigate against injection attacks.
- Data at rest is encrypted at AES-256. Data in transit is encrypted using TLSv1.2 and suitably strong cipher suites.
- All cryptographic keys are managed and stored in AWS KMS.
- AWS Certificate Manager is used to manage PKI.
- Incoming encrypted data is terminated on WAF / load balancer.
- All production networks are in AWS. Resources run in a dedicated VPC.
- Security group rules only allow inbound traffic on required ports.
- Inbound / outbound rules are regularly reviewed.
- Access to the internal network is restricted by the Infrastructure team.
- All access to production systems is administered by the Infrastructure team.
- Access is provisioned in adherence with the “least privileges” principle.
- Access is reviewed regularly to ensure its appropriateness.
- Permissions templates are used to define a base level of access.
- Critical systems scale horizontally to handle demand.
- Critical systems are deployed in a multi-AZ distribution to ensure geographical redundancy.
- Regular backups are performed and data integrity tested.
- A disaster recovery plan, business continuity plan and an incident management process is in place.
- Access to the cloud environment is delegated through AWS SSO.
- Infrastructure is managed by terraform, any changes are subject to peer review and approval before being deployed.
- Infrastructure is monitored for potential disruption, and the infrastructure team is alerted of this.
AWS Inspector is used to scan production assets for vulnerabilities.
An internal Vulnerability Management process is followed to assess vulnerability issues, and report these to relevant teams for remediation.
SLOs are defined for vulnerability findings, depending on the CVSS score and other contextual information.
- All staff are required to undergo DBS and background checks
- All staff complete Data Protection and Information Security training at least annually
- Additional training is provided to all staff that may directly handle data
- We are ISO 27001 certified, and maintain an Information Security Management System
- We hold valid Cyber Essentials and Cyber Essentials+ certifications
For further information about our security controls please contact us at [email protected]