Savings UK Ltd
In this policy, references to “StockExchange.CO”, “us”, “we” and “our” mean Savings UK Ltd, a company incorporated and registered in England and Wales, with registered company number 14136413.
Responsible Disclosure Policy
It’s important that anybody is able to contact us, quickly and effectively, with security concerns or information pertinent to our customers’ privacy or the confidentiality, integrity or availability of our systems. Therefore we operate a responsible disclosure policy to help security professionals and others alert us swiftly with the minimum of fuss.
If you believe you have identified a vulnerability, please read through the submission terms below and use one of the means below to contact us.
The terms below apply to any website, application or service distributed by or hosted by Savings UK Ltd or served under a domain name owned by Savings UK Ltd.
You can use our email address or technical partner to alert us to:
- vulnerabilities or breaches in our software or environments which threaten the confidentiality, integrity or availability of our data or our customers’ data
- “copycat” applications or phishing attacks even if they do not originate from Savings UK Ltd sources
- activity, discussion or data in any public forum which you believe constitutes a threat to Savings UK Ltd or our customers
At all times act responsibly and in the best interests of Savings UK Ltd and our customers.
- Do not break the law
- Do not use social engineering techniques against our customers or staff
- Do not put any Savings UK Ltd or customer data at risk
- Do be specific
- Do provide a detailed and complete submission (masking or encrypting if necessary)
- Do reference existing vulnerability information where relevant
It is important that we treat your communication as a responsible disclosure and not an attack or extortion. Following these guidelines will help to ensure that. We act decisively on attacks and extortion attempts including reporting them to the police.
How to disclose a security issue to us
Please use the sections below to make your submission.
If you are uncomfortable sending any of the following content by email, you may mask or redact sensitive content or encrypt data using the PGP key included at the bottom of this page.
Your submission should contain:
- clear description and evidence of the vulnerability (logs, screenshots, responses)
- detailed steps to reproduce the issue
- any platforms, operating systems, versions that are relevant
- any relevant IP addresses or URLs
- any supporting evidence you have collected (logging, tracing etc.)
- your assessment of the exploitability or impact of the issue
- your name, role (if appropriate) and contact details
Please preserve as much evidence as possible as we may need to examine it.
How we will respond
Our ability to respond quickly and effectively to important communication on this email address is important and therefore we take steps to manage spam and quickly identify the high quality submissions.
We discourage and will not respond to:
- reports of generic vulnerabilities with no evidence of relevance to our systems
- reports of any information already in the public domain
- reports that are vague or non-actionable
- anonymous reports
We will respond quickly and gratefully if we believe that you are faithfully reporting an issue in line with these terms and in the best interests of Savings UK Ltd and its customers.
We do not offer financial reward for submissions but we do believe in public recognition for anyone who helps us to ensure our systems and data are secure. We will not name you without your consent. If a public endorsement is appropriate we will discuss the details with you in advance.
We are actively working to put in place a bug bounty program that will facilitate and regulate financial reward for submissions but we cannot do so at this time.
You must treat all information about our systems, staff or customers that comes into your possession or that you otherwise become aware of, which is not publicly available, as strictly confidential and not share or otherwise use it for any purpose other than emailing it to us as a submission as described above.
Submit a disclosure
Anyone can report an information security issue using our dedicated Support link below.
Submit a technical disclosure
If you have in-depth technical details such as CVSS scoring, CWE references etc, you may prefer to make your submission via our technical form.