Legal Pack v1.0

Security Vulnerability Disclosure Policy

This document is written in plain English and is intended to reflect the current Tech Off Your Mind business model. It may be updated as services, suppliers, insurance or legal requirements change.

Reporting a security concern

If you believe you have found a security vulnerability affecting Tech Off Your Mind, please report it to help@techoffyourmind.co.uk with the subject line "Security report".

Please include a clear description, the affected page, system or service, steps to reproduce the issue where safe to do so, the potential impact, and your contact details. Do not include unnecessary personal information or customer data.

Please act responsibly

Do not access, alter, download, delete or disclose data that does not belong to you.

Do not disrupt services, use denial-of-service techniques, send spam, perform social engineering, or test third-party or customer systems without written authorisation.

Stop testing and contact us if you encounter personal information, credentials, confidential information or evidence of active compromise.

What you can expect

We aim to acknowledge genuine reports within 5 working days and will investigate in proportion to the apparent risk.

We may ask for further information. We will try to keep you informed, but we may be unable to share confidential details, customer information or exact remediation dates.

We ask that you do not disclose the issue publicly until we have had a reasonable opportunity to investigate and address it.

Scope and rewards

This policy is not an invitation to test customer environments or third-party services. It does not create permission to break the law, breach a contract or access systems without authorisation.

We do not currently operate a paid bug bounty programme. Any acknowledgement is at our discretion.