> Security Issue Reporting..|

Reporting Security Issues

We regularly work with parties to responsibly disclose security vulnerabilities. Where possible, we will help fix the issues reported, providing reasonable assistance and clarification on the issues at hand

However, we also recognise that publishing information about security vulnerabilities is important and necessary to help ensure security of users' data. Where parties do not intend to fix the disclosed issues, we will publish the vulnerability, as this is in the best interests of the customer

If we find a security vulnerability, we will:

  • Report the issue, including a link to this page for verification purposes
  • Upon successful contact, we will wait a maximum of 90 days before responsibly disclosing the vulnerability
  • If contact is unsuccessful, we will wait a minimum of 60 days before responsibly disclosing the vulnerability


We have worked with the following to notify them of (and help fix) vulnerabilities:


  • GCIA
  • GREM
  • GCFE
  • GCIH
  • GSEC
  • GAWN
  • GCTI
  • GCDA
  • GCFA
  • GMON
  • GXPN
  • GPWN
  • CLAS
  • BSI
  • CESG
  • CES Plus


  • HM Government
  • Cyber Security Challenge
  • Tech UK
  • Crown Commercial Supplier
  • IOD
  • BCS
  • ADS


  • HEX
  • Risual
  • UKCloud
  • Surevine
  • Surevine
  • Surevine