Security Policy

Responsible
Disclosure

> cat /policy/responsible-disclosure.txt_

Found something? Good. We'd rather hear it from you than find out the hard way. Here's how to tell us about it safely, and what you can expect in return.

Overview

We welcome your findings.

At Hedgehog Security, we practice what we preach. We believe that security researchers acting in good faith are a vital part of the security ecosystem, and we actively encourage the responsible reporting of vulnerabilities discovered in our systems and infrastructure.

This policy sets out our commitment to working with the security community, defines the scope of what you may test, explains how to report findings, and describes the protections we offer to researchers who follow these guidelines.

Our Safe Harbour Commitment

If you conduct security research in accordance with this policy, we consider your activities to be authorised. We will not pursue legal action against you, we will not report your activities to law enforcement, and we will work with you in good faith to understand and resolve the issue.

If a third party initiates legal action against you for activities that were conducted in compliance with this policy, we will take reasonable steps to make it known that your actions were authorised by us.

Reporting

How to report a vulnerability.

Please send all vulnerability reports to our dedicated security inbox. We strongly encourage the use of our PGP key to encrypt sensitive details.

Terminal
$ mailto: security@hedgehogsecurity.co.uk
$ pgp-fingerprint: [YOUR PGP FINGERPRINT HERE]
# Encrypt all sensitive details with our public key
# We aim to acknowledge receipt within 24 hours (UTC)

Your report should include:

Vulnerability Details
A clear description of the vulnerability, the affected system or URL, and the potential impact if exploited.
Reproduction Steps
Step-by-step instructions, proof-of-concept code, screenshots, or video demonstrating how the vulnerability can be reproduced.
Your Contact Details
A way for us to reach you for follow-up questions. We respect your privacy and will never share your details without consent.
Remediation Suggestions
Optional but appreciated — if you have thoughts on how to fix it, we'd love to hear them.
PGP Public Key
-----BEGIN PGP PUBLIC KEY BLOCK----- [INSERT YOUR PGP PUBLIC KEY HERE] Replace this placeholder with your actual PGP public key. Generate one with: gpg --full-generate-key Export with: gpg --armor --export security@hedgehogsecurity.co.uk -----END PGP PUBLIC KEY BLOCK-----
Scope

What's in and out of scope.

To help focus your efforts and keep everyone safe, please review the scope boundaries below. If you're unsure whether something is in scope, ask us before testing — we're happy to clarify.

In Scope Notes
*.hedgehogsecurity.co.uk All subdomains of our primary domain
Web application vulnerabilities XSS, SQLi, CSRF, IDOR, authentication flaws, etc.
API security issues Broken authentication, injection, mass assignment, etc.
Server misconfigurations TLS issues, exposed admin panels, directory listing, etc.
Business logic flaws Privilege escalation, access control bypasses
Out of Scope Reason
Denial of Service (DoS/DDoS) We don't want you to take us offline — and neither do our clients
Social engineering of staff Phishing, vishing, or physical social engineering against our team
Physical security testing Do not attempt to access our offices or data centres
Third-party services Vulnerabilities in services we use but don't control (e.g. CDN, SaaS)
Automated scanning at scale Aggressive automated scanners disrupt our services — use targeted testing
SPF/DKIM/DMARC misconfigurations Unless demonstrably exploitable for meaningful impact
Missing security headers Unless you can demonstrate concrete, exploitable impact
Self-XSS Vulnerabilities requiring the victim to paste code into their own browser

Rules of Engagement

When conducting your research, you must:

  • Not access, modify, or delete data belonging to other users or clients
  • Not degrade or disrupt the availability of our services
  • Stop testing and report immediately if you encounter sensitive data (PII, credentials, client information)
  • Not publicly disclose the vulnerability before we've had a reasonable opportunity to remediate it
  • Comply with all applicable laws in your jurisdiction
  • Act in good faith at all times
Timeline

What to expect from us.

We take every report seriously. Here's our commitment to you on response times — all times are working days, UTC.

Within 24 Hours

Acknowledgement

We'll confirm we've received your report and assign it a tracking reference. You'll have a named point of contact for all further correspondence.

Within 5 Working Days

Triage & Assessment

We'll validate the vulnerability, assess its severity using CVSS, and provide you with an initial assessment. We may ask follow-up questions during this phase.

Within 30 Working Days

Remediation Target

We aim to remediate confirmed vulnerabilities within 30 working days of triage. Critical and high-severity issues are fast-tracked. We'll keep you informed of progress.

Upon Resolution

Notification & Recognition

Once the fix is deployed and verified, we'll notify you and — with your permission — add your name to our Hall of Fame. You'll be the first to know when it's safe to disclose.

Recognition

Credit where it's due.

We believe in recognising the contributions of security researchers. While we do not currently operate a paid bug bounty programme, we offer the following to researchers who submit valid reports in accordance with this policy:

Hall of Fame
All Valid Reports
Public recognition on our website's Hall of Fame page (with your consent). Your name, handle, or organisation credited alongside the finding.
Reference Letter
Significant Findings
A signed reference letter from our CTO confirming your responsible disclosure and the quality of your research — handy for CVs and portfolios.
Hedgehog Swag
Critical / High Severity
For critical and high-severity findings, we'll send you exclusive Hedgehog Security merchandise. Because everyone deserves a t-shirt for popping a shell.

We are actively considering the introduction of a formal bug bounty programme. If you have thoughts on this, we'd love to hear from you.

FAQ

Frequently asked.

Yes, but we recommend letting us know your source IP(s) in advance so our SOC team doesn't mistake your testing for a genuine attack. Drop us an email at security@hedgehogsecurity.co.uk before you begin.
Stop testing immediately, do not save or share the data, and report the issue to us straight away. If you follow this process, we will not hold the accidental access against you. Delete any copies of the data you may have inadvertently stored.
We ask that you give us a reasonable window to remediate — typically 90 days from our acknowledgement of the report. If we need more time, we'll communicate this to you and agree a revised timeline. We will never unreasonably delay disclosure. Once remediated, we're happy for you to publish your research.
Not currently, though we are actively evaluating the introduction of a paid bug bounty programme. In the meantime, we offer Hall of Fame recognition, reference letters, and exclusive merchandise for significant findings. We believe in recognising effort and skill, even if the budget doesn't stretch to cash bounties just yet.
Absolutely. You may report via an anonymous email address or use our PGP key without identifying yourself. We'd prefer a way to follow up with questions, but we understand and respect the desire for anonymity.
If the same vulnerability has already been reported by another researcher, we'll let you know it's a duplicate. We credit the first reporter. If your report contains additional exploitation paths or impact analysis beyond the original, we may credit both researchers.
Get in Touch

Found something interesting?

Don't sit on it. Drop us a line and let's make things more secure — together.

Email Security Team Back to Home