Effective from: 01/08/2025
Version: v1.1

1.0 Purpose and Commitment

1.1 We want GeiG’s customers and users to be safe. If you discover a security vulnerability, please let us know so we can address it promptly.
1.2 This policy explains what is in scope, how to report vulnerabilities, what testing is allowed, how we respond, and the protections we offer to good-faith security researchers.
1.3 Standards alignment. We align our vulnerability disclosure and handling with ISO/IEC 29147 and ISO/IEC 30111, and our application security testing with OWASP ASVS and the OWASP Top 10. We commission external penetration testing by CREST-accredited providers at least annually and follow relevant UK NCSC VDP guidance.

2.0 Scope (What You May Test)

2.1 In-scope assets:
a) geig.co.uk (main site);
b) *.geig.co.uk subdomains;
c) browser-based account portals and cloud dashboards hosted by GeiG;
d) public APIs operated by GeiG (non-third-party, documented endpoints);
e) GeiG firmware or software delivered for our devices, where testing occurs on your own licensed device.

2.2 Out-of-scope assets: third-party vendors or processors (for example, payments, chat platforms, logistics portals), mobile apps not published by GeiG, and any system not expressly listed in clause 2.1. If you discover an issue affecting a third party, please report it directly to them and notify us for awareness.

3.0 Safe Harbour (Good-Faith Research)

3.1 If you act in good faith, follow this policy, limit testing to in-scope assets, avoid privacy harm, and promptly report vulnerabilities with minimal data exposure, GeiG will not pursue legal action or refer the matter to law enforcement for your testing activities.
3.2 Safe Harbour does not bind regulators or third parties and does not waive statutory rights or obligations.

4.0 Conditional Authorisation to Test

4.1 You are authorised to perform non-destructive security testing of in-scope assets, subject to the limits below.
4.2 Strictly prohibited:

• DoS/DDoS or resource-exhaustion attacks;
• spam, social engineering or phishing;
• physical attacks;
• malware or ransomware payloads;
• credential stuffing of real users;
• exfiltration of live personal data;
• accessing data you do not own beyond what is strictly necessary to demonstrate impact.

4.3 If you encounter personal data or sensitive information: stop immediately, minimise access, collect only redacted evidence necessary to demonstrate the issue, report it to us, and delete any copies once we acknowledge receipt.
4.4 If testing causes service instability or degradation, stop immediately and notify us.

5.0 Reporting Channels and Encryption

5.1 Primary contact: support@geig.co.uk. Web chat on geig.co.uk may be used for initial triage.
5.2 security.txt: We publish /.well-known/security.txt pointing to our reporting channels and policy metadata.
5.3 Encryption: If you need to transmit sensitive details, request our PGP key or a secure alternative channel.

6.0 What to Include in a Report

6.1 A clear description of the issue, affected hosts/paths, and security impact.
6.2 Reproduction steps (proof-of-concept) that avoid exfiltrating live data; use test accounts where possible.
6.3 Tools used, UTC timestamps, sanitised request/response samples, and screenshots.
6.4 Your preferred name or handle for recognition, or confirmation that you wish to remain anonymous.

7.0 Our Response and Timelines (Targets)

7.1 Acknowledgement: within 72 hours.
7.2 First status update: within 7 business days (triage outcome, severity assessment, next steps).
7.3 Coordinated disclosure target: remediation within 90 days of triage for qualifying issues, with earlier disclosure if fixed sooner or extended by mutual agreement for complex cases.
7.4 We will keep you informed at meaningful stages (triage, fix in progress, fix released, disclosure window).
7.5 We may decline reports that are out of scope or pose negligible risk and will explain our decision.

8.0 Recognition and Bounties

8.1 This is a good-faith disclosure programme; no monetary bounty is offered.
8.2 At our discretion, we may offer recognition (for example, a Hall of Fame entry) after verification and remediation. Anonymity is respected if requested.

9.0 Severity Framework and Acceptance Threshold

9.1 We assess issues using CVSS v3.1 / v4 alongside business impact.
9.2 Generally accepted: CVSS ≥ 4.0 (Medium) with meaningful, reproducible security impact.
9.3 Informational findings without exploitability or user risk are typically not accepted (see clause 10.0).

10.0 Explicitly Out of Scope (Examples)

10.1 Unless a clear, exploitable impact is demonstrated, the following are out of scope:
a) DoS/DDoS, brute-force, rate-limit or resource-exhaustion testing;
b) social engineering or phishing of staff or users;
c) physical security issues and lost or stolen devices;
d) vulnerabilities in third-party platforms not operated by GeiG;
e) self-XSS, clickjacking on non-sensitive pages, missing headers without impact;
f) open redirects without concrete attack chaining;
g) SPF/DMARC issues on non-production domains;
h) best-practice advice without an exploit path;
i) low-quality automated scan results without proof of impact.

11.0 Testing Conduct and Rate Limits

11.1 Use test accounts and non-destructive proofs-of-concept.
11.2 Keep automated scanning modest (for example, ≤ 5 requests per second per origin) and avoid peak usage periods where possible.
11.3 Do not access others’ data, modify data, or deploy persistent shells or backdoors.
11.4 Remove testing artefacts (accounts, keys, uploaded files) after submitting your report.

12.0 Confidentiality and Disclosure

12.1 Keep vulnerability details confidential until a fix is available, a coordinated disclosure date is agreed, or 90 days after triage—whichever occurs first—unless mutually agreed otherwise.
12.2 We will not disclose your identity without permission unless required by law.

13.0 No Compensation; No Duty to Act

13.1 Participation is voluntary. GeiG does not promise payment or reward unless explicitly stated for a specific programme.
13.2 GeiG may prioritise, defer or decline remediation based on risk and operational impact and will communicate its decision.

14.0 Limitation of Liability

14.1 To the maximum extent permitted by law, GeiG excludes liability arising from or in connection with this policy, your testing activities or your submissions.
14.2 Where liability cannot be excluded, it is limited to the minimum extent required by the laws of England and Wales.
14.3 Nothing in this policy limits liability for fraud or for death or personal injury caused by negligence where such limitation would be unlawful.
14.4 This policy does not limit or exclude any liability GeiG may have under data-protection law where such limitation or exclusion is not permitted.

15.0 Researcher Responsibilities

15.1 You must comply with applicable laws, including the Computer Misuse Act 1990, UK GDPR/PECR, export controls and sanctions.
15.2 Researchers located in embargoed jurisdictions or subject to trade sanctions must not participate.
15.3 Do not publicly disclose details except as permitted under clause 12.0.

16.0 Remediation Credit and Hall of Fame

16.1 Recognition, where offered, is provided after verification and remediation.
16.2 At your request, we will credit your name or handle or keep you anonymous.

17.0 Administration and Review

17.1 Contact: support@geig.co.uk; web chat for initial triage; /.well-known/security.txt for policy metadata.
17.2 Governing law and jurisdiction: England and Wales.
17.3 Review cycle: This policy is reviewed at least annually—the latest published version controls.

End of Security & Vulnerability Disclosure Policy (v1.1)