Responsible Disclosure

Email security@coverproof.co.uk with a description of the issue, the steps to reproduce it, and its potential impact. Please give us reasonable time to investigate and fix the issue before any public disclosure.

If you make a good-faith effort to comply with this policy during your research, we will consider your research authorised, will not pursue or support legal action against you for it, and will work with you to understand and resolve the issue quickly. If a third party brings legal action against you for activity that complied with this policy, we will make our authorisation known.

• The CoverProof web application and its API.
• The declarations and counterparty zero-login flows.
• Authentication, authorisation, and tenant-isolation issues.

• Denial-of-service, volumetric, or load testing.
• Social engineering, phishing, or physical attacks against our staff or offices.
• Reports from automated scanners without a demonstrated, exploitable impact.
• Findings limited to missing best-practice headers with no concrete security impact.

• Access, modify, or delete data that does not belong to a test account you control.
• Degrade the service for other users.
• Publicly disclose the issue before we have had a reasonable chance to remediate.

We will acknowledge your report, keep you updated as we investigate, and let you know when the issue is resolved. We do not currently run a paid bug-bounty programme, but we are glad to credit researchers who would like public recognition once an issue is fixed.