Security Policy

Our Commitment

We take security seriously. If you find a vulnerability, we want to work with you to fix it. We'll respond quickly, keep you updated, and won't take legal action against good-faith security research.

This policy follows RFC 9116 (the standard for security.txt) and NCSC's coordinated disclosure guidance.

Reporting a Vulnerability

Email security issues to security@numentechnology.co.uk with "[SECURITY]" in the subject line. We don't require NDAs and will handle your report confidentially.

For automated tools: We have a security.txt file following RFC 9116.

What to Include

Help us fix the issue faster by including:

• What type: XSS, CSRF, injection, auth bypass, etc.
• What it does: Explain the vulnerability and how it works
• Impact: What can an attacker do with this?
• Where: URLs, endpoints, or components affected
• How to reproduce: Step-by-step instructions we can follow
• Proof: Screenshots, code, or video (if safe to share)
• Suggested fix: Optional, but helpful if you have ideas
• When found: Discovery date
• Your details: Name and contact (for credit and follow-up)

Please don't: Exploit beyond proving the issue exists. Access or modify other people's data. Do anything that degrades the service.

What to Expect from Us

Here's how we'll handle your report:

• First reply: Within 24 hours (UK working days)
• Confirmation: Within 48 hours with a case reference and severity assessment
• Updates: Weekly progress updates until resolved; more frequently for critical issues
• Fix timeline: Target resolution of 30–90 days depending on complexity and severity
• Public disclosure: After the vulnerability is fixed, deployed, and we've verified the patch

Coordinated Disclosure Window:

• Standard embargo: 90 days from our acknowledgement of your report
• Early disclosure: If you wish to publish before 90 days, please discuss timing with us to ensure users are protected
• Extended embargo: If we need more than 90 days due to complexity, we'll provide justification and proposed timeline by day 60
• Unresponsive vendor: If we fail to respond within 5 business days or fail to provide weekly updates, you may disclose after notifying us of your intent

If We Disagree:

If we dispute the validity or severity of your report, we'll provide technical justification. If you disagree with our assessment, we encourage coordinated disclosure with an independent third party (e.g., NCSC Vulnerability Coordination).

Public Credit:

Upon disclosure, we'll publicly credit you (with your permission) in:

• Security advisories published on our website
• GitHub security advisories (if applicable)
• Communication to affected users

Severity Levels

Severity	Response Time	Examples
Critical	24 hours	RCE, Authentication bypass, Data breach
High	3 days	XSS, CSRF, Privilege escalation
Medium	7 days	Information disclosure, DoS
Low	14 days	Missing security headers, Minor info leaks

What We've Already Got in Place

Here's what's protecting the site now:

Transport Security

• HTTPS Only: All traffic encrypted via TLS 1.2+
• HSTS: 2-year max-age with preload (submitted to browser preload list)
• Certificate: Managed by Vercel with automatic renewal

Security Headers

• Content-Security-Policy: Restricts resource loading to trusted sources
• Cross-Origin-Opener-Policy: Protects against Spectre attacks
• Cross-Origin-Embedder-Policy: Prevents credential leaks
• Cross-Origin-Resource-Policy: Restricts resource sharing
• X-Frame-Options: Prevents clickjacking
• X-Content-Type-Options: Prevents MIME-sniffing attacks
• Referrer-Policy: Controls referrer information leakage
• Permissions-Policy: Disables unnecessary browser features

Rate Limiting

• Implementation: Upstash Redis with sliding window algorithm
• Contact Form: 5 requests per 15 minutes per IP
• Graceful Degradation: Falls back to allowing requests if Redis unavailable
• Headers: Returns X-RateLimit-* and Retry-After headers

Bot Protection

• Honeypot Fields: Hidden fields trap automated bots
• Timing Analysis: Detects forms submitted too quickly (< 3 seconds)
• Security Logging: All bot attempts logged to Vercel

What You Can Test

Fair Game

• The website (numentechnology.co.uk)
• API endpoints (/api/contact, /api/csp-report, /api/indexnow)
• Contact form and validation
• Cookie consent system (localStorage)
• HubSpot integration

Off Limits

Don't test these—they're managed by other companies or aren't useful targets:

• Third-party services (HubSpot, Google Analytics, Clarity, LinkedIn)
• Vercel's hosting platform
• DNS or domain registrar
• Social engineering (phishing, etc.)
• DoS or DDoS attacks
• Spam testing

Data Protection for Security Researchers

If You Discover Personal Data

If you inadvertently access personal data during authorised security research:

1. Stop immediately - Do not view, copy, download, or retain any personal data
2. Report promptly - Inform us at security@numentechnology.co.uk with subject "[DATA ACCESS]"
3. Delete/destroy - Securely delete any personal data from your systems
4. Document minimally - Only document what's necessary to describe the vulnerability (e.g., "field X returns user email addresses")

Your Obligations Under UK GDPR

When conducting security research under this policy:

• You act as an independent security researcher, not as our data processor
• Any access to personal data must be incidental and minimal
• You must not retain, disclose, or further process any personal data accessed
• You must report any data access to us immediately so we can assess data breach notification obligations

What Constitutes Personal Data

Personal data includes: names, email addresses, phone numbers, IP addresses, user IDs, session tokens, authentication credentials, and any information that identifies or could identify an individual.

Data Breach Reporting

If your research uncovers a vulnerability that has resulted in unauthorised access to personal data by third parties, this is a reportable data breach. We will handle ICO notification obligations, but we need your cooperation to:

• Determine the scope and nature of the breach
• Assess risk to affected individuals
• Implement remediation measures

Your cooperation with data breach investigations is a condition of our safe harbour protection.

Legal Protection (Safe Harbour)

Follow these rules and we commit not to take legal action against you:

• ✓ Act in good faith to identify and report security vulnerabilities
• ✓ Make reasonable efforts not to cause harm - avoid breaking things or accessing private data
• ✓ Only test accounts you own or have permission to test
• ✓ Don't exploit beyond proving the issue exists (proof of concept only)
• ✓ Don't access, modify, copy, or delete other people's data
• ✓ Don't download data from our systems beyond what's necessary to demonstrate the vulnerability
• ✓ Don't do anything that degrades the service for users
• ✓ Give us reasonable time to fix the issue before public disclosure
• ✓ Follow the 90-day coordinated disclosure window

Our Commitment:

If you comply with this policy and report vulnerabilities in good faith, we commit to:

1. Not pursue civil action against you for your security research activities
2. Not report you to law enforcement for Computer Misuse Act 1990 offences arising from authorised research under this policy
3. Work with you to understand and resolve the issue quickly
4. Treat your research as authorised for the purposes of any civil claims we might otherwise bring

Legal Disclaimer:

This safe harbour applies only to activities conducted in accordance with this policy. We cannot grant immunity from criminal prosecution (only the Crown Prosecution Service can make prosecution decisions), but we will not make complaints to law enforcement regarding good faith security research conducted under this policy.

For legal purposes, we expressly grant you permission to access our systems solely for security research as defined in this policy. This permission is conditional on your compliance with all terms stated herein.

Third-Party Systems:

This safe harbour applies only to Numen Technology systems. We cannot authorise access to third-party systems (HubSpot, Vercel, Google Analytics, etc.) even if they process our data. Do not test third-party services.

Recognition & Rewards

We appreciate security researchers who help us stay secure. Here's what we offer:

Public Recognition

• Credit in Security Advisories: Public acknowledgement in security release notes and advisories (with your permission)
• Professional Recognition: LinkedIn endorsement or recommendation for your security research skills (optional)
• Reference Letter: Written reference for significant contributions (upon request)

Monetary Rewards

We don't have a formal bug bounty programme, but we may offer discretionary monetary rewards for valid, in-scope vulnerabilities:

• Critical/High: £100–£500
• Medium: £50–£100
• Low: Token amount

Amount depends on: severity, report quality, clarity of reproduction steps, and whether the issue was previously known to us.

Eligibility:

• Researchers must be 18 years or older
• Not available to Numen Technology employees, contractors, or immediate family members
• We reserve the right to verify your identity before payment
• You are responsible for any tax obligations arising from payments in your jurisdiction
• For UK recipients: payments may be subject to income tax reporting requirements
• Payment method will be agreed upon acceptance of the reward

Tax Notice: If you are a UK taxpayer, bug bounty payments may constitute taxable income under the Income Tax Act 2007. We recommend consulting a tax adviser. We may be required to report payments to HMRC if they exceed reporting thresholds.

Note: Out-of-scope issues don't qualify for payment, but we'll still credit you if the finding is valid and helpful.

Contact Points

• Security Issues: security@numentechnology.co.uk
• Data Protection: privacy@numentechnology.co.uk (GDPR requests, data breaches)
• General Inquiries: hello@numentechnology.co.uk

Additional Resources

• Privacy Policy: /privacy
• Terms of Service: /terms
• Security.txt: /.well-known/security.txt
• OWASP Top 10: owasp.org/www-project-top-ten
• NCSC Guidance: ncsc.gov.uk