Security Policy

Last updated: Jan 2, 2026
CREST Pathway Accreditation Logo for Exploitr Limited
UK Cyber Security Council membership logo
Cyber Essentials Certification Logo for Exploitr Limited

Exploitr is committed to maintaining the highest standards of security and data protection for our users and employees. Security is a crucial aspect of our operations, and as such we have designed our platform with this in mind from the very beginning.

We recognise that security vulnerabilities may be identified by third parties without prior authorisation and we welcome responsible reports of such issues. This policy explains how to report potential security vulnerabilities and sets expectations for responsible behaviour. It does not grant permission to access or test our systems.

No Authorisation for Testing

This policy does not authorise security testing or access to any systems operated by Exploitr.

Any access to our systems must be:

  • Accidental, or
  • Limited to what is strictly necessary to identify and report a potential security issue

Nothing in this policy should be interpreted as permission to:

  • Probe, scan, or test systems
  • Attempt to bypass security controls
  • Access accounts, data, or functionality not intended for you

Responsible Disclosure Expectations

If you identify a potential security vulnerability, we ask that you:

  • Stop any further activity immediately
  • Do not attempt to validate the issue beyond what is necessary to confirm its existence
  • Do not access, modify, delete, or copy data
  • Do not attempt to access other users’ accounts or personal data
  • Do not disrupt services or user experience
  • Report the issue to us as soon as reasonably practicable

Data Protection & Privacy

You must:

  • Avoid accessing personal data wherever possible
  • Immediately stop testing if personal data is encountered
  • Not copy, retain, disclose, or process personal data

Any personal data accessed unintentionally must be reported promptly and securely.

How to Report a Vulnerability

If you believe you have discovered a security vulnerability, please report it to us as soon as possible via:

Subject line: “Security vulnerability report”

Email: [email protected]

We ask that you:

  • Allow us reasonable time to investigate and remediate the issue
  • Do not publicly disclose the vulnerability without our prior written consent

We are happy to discuss disclosure timelines once a report has been validated.

What to Include in Your Report

To help us investigate efficiently, please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Affected URLs, parameters, or endpoints
  • Proof of concept or screenshots (where appropriate)
  • The potential impact of the issue (as determined by you)

Please avoid including unnecessary personal data in your report.

Good-Faith Reporting

If you:

  • Act in good faith
  • Do not intentionally exploit the issue
  • Do not exceed minimal interaction
  • Promptly report the issue

Exploitr Limited will not seek to take legal action against you in relation to the act of reporting the vulnerability.

This assurance does not apply to:

  • Deliberate or reckless exploitation
  • Continued access after discovery
  • Activities that are unlawful or malicious

Our Commitment

When a report is submitted responsibly, we aim to:

  • Acknowledge receipt within 5 business days
  • Assess the report and take appropriate action

We may not be able to provide detailed updates in all cases.

Bug Bounty / Rewards

We do not currently operate a bug bounty programme or offer financial rewards for vulnerability reports. This may change in future revisions of this policy.

Security Contact Information

Our security contact details are also available via:

https://exploitr.com/.well-known/security.txt

Changes to This Policy

We may update this policy from time to time. The version published at the time of reporting will apply.