Security Vulnerability Disclosure Policy
Reporting a security concern
If you believe you have found a security vulnerability affecting Tech Off Your Mind, please report it to help@techoffyourmind.co.uk with the subject line "Security report".
Please include a clear description, the affected page, system or service, steps to reproduce the issue where safe to do so, the potential impact, and your contact details. Do not include unnecessary personal information or customer data.
Please act responsibly
Do not access, alter, download, delete or disclose data that does not belong to you.
Do not disrupt services, use denial-of-service techniques, send spam, perform social engineering, or test third-party or customer systems without written authorisation.
Stop testing and contact us if you encounter personal information, credentials, confidential information or evidence of active compromise.
What you can expect
We aim to acknowledge genuine reports within 5 working days and will investigate in proportion to the apparent risk.
We may ask for further information. We will try to keep you informed, but we may be unable to share confidential details, customer information or exact remediation dates.
We ask that you do not disclose the issue publicly until we have had a reasonable opportunity to investigate and address it.
Scope and rewards
This policy is not an invitation to test customer environments or third-party services. It does not create permission to break the law, breach a contract or access systems without authorisation.
We do not currently operate a paid bug bounty programme. Any acknowledgement is at our discretion.