Security Policy

Reporting a Vulnerability

Please report suspected security vulnerabilities by emailing [email protected]. Do not open a public GitHub issue for security problems.

To help us triage your report quickly, please include:

• A description of the vulnerability and its potential impact
• Step-by-step instructions to reproduce the issue
• Any relevant URLs, request/response pairs, or screenshots
• Your suggested severity (Critical / High / Medium / Low)

Scope

The following assets are in scope:

• usebrandpulse.uk and all subdomains
• The BrandPulse web application and its API endpoints
• Authentication and session-management flows

The following are out of scope:

• Denial-of-service attacks or volumetric testing
• Social engineering or phishing of BrandPulse staff
• Physical security attacks
• Vulnerabilities in third-party services we rely on (report those to the relevant vendor)
• Automated scanner output without proof of exploitability

Our Commitments

• Acknowledge receipt of your report within 3 business days
• Provide an initial assessment of severity and expected resolution timeline within 10 business days
• Notify you when the vulnerability has been fixed
• Credit you in our release notes (if you wish) once the issue is resolved

Safe Harbor

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, provided they: avoid accessing, modifying, or deleting data that does not belong to them; do not disrupt our services or degrade user experience; and disclose findings to us before making them public (coordinated disclosure).

Encrypted Reporting

If your report is sensitive, you may encrypt it using our PGP key, available at /.well-known/pgp-key.txt.