SECURITY POLICY

How to report

Please email security@brambla.co.uk with as much detail as you can share:

• A description of the issue and where you found it (URL or path)
• Steps to reproduce, including any payloads or example requests
• Your assessment of impact (what could go wrong if exploited)
• Optional: a suggested fix or mitigation
• Your name or handle if you'd like to be credited

You can find the machine-readable version of this contact at /.well-known/security.txt (RFC 9116).

What to expect from us

• Acknowledgement within 48 hours. We confirm receipt and triage promptly. Reports submitted at weekends may take a little longer.
• Resolution target: 30 days for high-severity issues. We'll keep you informed of progress and confirm when the fix is live.
• Credit if you want it. With your permission we'll add your name or handle to the acknowledgements list below.
• Goodwill payments at our discretion. We may offer a goodwill payment for high-impact, responsibly-disclosed issues. We do not operate a formal bug bounty programme — payment is not guaranteed and is assessed case-by-case based on severity, novelty, and quality of report.

Scope

In scope:

• brambla.co.uk and any subdomain (e.g. www., api.)
• Brambla's contact and project-brief forms
• The admin dashboard at /admin/ (authentication, authorisation, data exposure)
• The tracking endpoint at /api/track-client-site/ and form endpoint at /api/client-contact/

Out of scope:

• Sites we build or host for clients (each has its own owner; contact them directly)
• Third-party services we depend on (Vercel, Supabase, Cloudflare, Microsoft 365, Stripe) — report to the vendor
• Social-engineering tests against staff or contractors
• Physical-security tests
• Reports based purely on automated scanner output with no demonstrated impact
• Issues that require already-compromised credentials, browser malware, or physical device access

Acceptable testing

• Passive reconnaissance, header probes, fingerprinting
• Single-account, low-volume manual testing of vulnerabilities you suspect
• Reporting findings to us before any public disclosure

Not acceptable:

• Destructive testing (deleting data, defacing pages, modifying records)
• Denial-of-service attacks, traffic flooding, or resource-exhaustion tests
• Mass automated scanning at rates that degrade service for real users
• Accessing, downloading, or exfiltrating data belonging to other users or clients
• Public disclosure before we have had reasonable opportunity to fix

Anti-extortion

Demands for payment as a condition of disclosure — whether explicit (“pay or I publish”) or implied (“I'll tell you what I found once you transfer X”) — are not responsible disclosure. We will not pay under coercion, will fix the issue regardless, and will report the communication to Action Fraud. Legitimate researchers who want a goodwill payment should simply disclose first and let us decide; we treat both behaviours very differently.

Safe harbour

If you make a good-faith effort to comply with this policy when conducting security research, we will:

• Consider your research authorised activity
• Not pursue civil action or report you for accidental, good-faith violations
• Work with you to understand and resolve the issue quickly

Acknowledgements

Thank you to the researchers who have responsibly disclosed issues to us. We'll list names or handles here (with permission) as reports are received and resolved.

This policy is published in good faith. Brambla is a brand of SDB Digital Ltd (United Kingdom). It does not create any contractual or legal obligation on either party beyond what is described above.