Effective from: 01/08/2025

1.0 Purpose and Commitment
1.1 We want GeiG’s customers to be safe. If you find a security vulnerability, we want to know so we can fix it quickly.
1.2 This policy explains what’s in scope, how to report, what testing is allowed, how we respond, and the protections we offer good-faith researchers.
1.3 Standards alignment: We align our vulnerability disclosure and handling with ISO/IEC 29147 and ISO/IEC 30111, and our application security testing with OWASP ASVS and the OWASP Top 10. We commission external penetration tests by CREST-accredited providers at least annually and follow relevant UK NCSC VDP guidance.

2.0 Scope (What You May Test)
2.1 In-scope assets:
a) geig.co.uk (main site);
b) *.geig.co.uk subdomains;
c) browser-based account portals and cloud dashboards hosted by GeiG;
d) public APIs operated by GeiG (non-third-party, documented endpoints);
e) GeiG firmware/software delivered for our devices where interaction occurs on your own licensed device.
2.2 Out-of-scope assets: third-party vendors/processors (e.g., payment, chat, logistics portals), mobile apps not published by GeiG, and any system not expressly listed in 2.1. If you discover an issue affecting a vendor, please report it directly to them and notify us.

3.0 Safe Harbor (Good-Faith Research)
3.1 If you act in good faith, follow this policy, limit testing to 2.1, avoid privacy harm, and promptly report with minimal data exposure, GeiG will not pursue legal action or refer the matter to law enforcement for your testing activities.
3.2 Safe Harbor does not bind regulators or third parties (including the ICO) and does not waive statutory rights or obligations.

4.0 Conditional Authorisation to Test
4.1 You are authorised to perform non-destructive testing of in-scope assets, subject to the limits below.
4.2 Strictly prohibited: DoS/DDoS or resource exhaustion; spam; social engineering or phishing; physical attacks; malware/ransomware payloads; credential stuffing of real users; exfiltration of live personal data; access to data you do not own beyond what is strictly necessary to demonstrate impact.
4.3 If you encounter personal data or sensitive information: stop immediately, minimise access, take only screenshots/redacted samples needed to evidence the issue, report to us, and delete any copies once we acknowledge receipt.
4.4 If the service becomes unstable or degraded, stop testing immediately and notify us.

5.0 Reporting Channel and Encryption
5.1 Email: support@geig.co.uk (mailbox operated by Computerko Limited for GeiG). Web chat on GeiG.co.uk may be used for initial triage.
5.2 Security.txt: we host /.well-known/security.txt pointing to the above channels.
5.3 Encryption: If you need to send sensitive details, request our PGP key; we will provide it or an alternative secure channel.

6.0 What to Include in a Report
6.1 A clear description of the issue, affected hosts/paths, and impact.
6.2 Steps to reproduce (proof-of-concept) that do not exfiltrate live data; use test accounts where possible.
6.3 The tool(s) used, UTC timestamps, request/response samples (sanitised), and screenshots.
6.4 Your preferred name/handle for credit, or state you wish to remain anonymous.

7.0 Our Response and Timelines (Targets)
7.1 Acknowledge receipt: within 72 hours.
7.2 First status update: within 7 business days (triage outcome, CVSS severity, and next steps).
7.3 Coordinated disclosure target: fix within 90 days of triage for qualifying issues, with earlier disclosure if fixed sooner or extended by mutual agreement for complex cases.
7.4 We will keep you informed at meaningful stages (triage, fix in progress, fix released, disclosure window).
7.5 We may decline issues that are out of scope or pose negligible risk; we will tell you if so.

8.0 Recognition and Bounties
8.1 This is a good-faith disclosure programme; there is no monetary bounty.
8.2 At our discretion we may offer thanks/recognition (e.g., a Hall of Fame entry) once the issue is verified and remediated. Anonymity is respected if requested.

9.0 Severity Framework and Acceptance Threshold
9.1 We assess issues using CVSS v3.1/v4 along with business impact.
9.2 Generally accepted: CVSS ≥ 4.0 (Medium) with meaningful, reproducible security impact.
9.3 Inform-only / typically not accepted: purely informational findings without exploitability or user risk (see 10.0).

10.0 Explicitly Out of Scope (Examples)
10.1 The following are out of scope unless you can demonstrate a clear, exploitable security impact:
a) DoS/DDoS, brute-force/rate-limit or resource exhaustion;
b) Social engineering/phishing of staff or customers;
c) Physical security, lost/stolen devices, and tailgating;
d) Vulnerabilities in third-party platforms/services not operated by GeiG;
e) Self-XSS; clickjacking on non-sensitive pages; missing security headers on non-sensitive pages; version disclosure without impact;
f) Open redirects without concrete attack chaining;
g) SPF/DMARC issues on non-production domains;
h) “Best practice” advice without a specific exploit path;
i) Low-quality automated scan results without proof of impact.

11.0 Testing Conduct and Rate Limits
11.1 Use test accounts and non-destructive POCs.
11.2 Keep automated scanning modest (e.g., ≤ 5 requests/second per origin) and avoid peak hours where possible.
11.3 Do not attempt to access anyone else’s data, modify data, or persist shells/backdoors.
11.4 Immediately remove testing artefacts (accounts, keys, uploaded files) after your report.

12.0 Confidentiality and Disclosure
12.1 Keep details confidential until a fix is available or a coordinated disclosure date is agreed, or 90 days after triage—whichever comes first—unless we mutually agree otherwise.
12.2 We will not disclose your identity without permission, unless required by law.

13.0 No Compensation; No Duty to Act
13.1 Participation is voluntary. GeiG does not promise payment, bounty, or reward unless explicitly stated for a specific programme.
13.2 GeiG may prioritise, defer, or decline remediation consistent with risk and operational impact; we will communicate our decision.

14.0 Limitation of Liability
14.1 To the maximum extent permitted by law, GeiG excludes all liability (contract, tort, negligence, statutory duty, or otherwise) arising from or in connection with this policy, your security testing, or your submissions.
14.2 Where liability cannot be excluded, it is limited to the minimum extent required by the laws of England and Wales.
14.3 Nothing in this policy excludes or limits liability for fraud or for death or personal injury caused by negligence where such limitation would be unlawful.
14.4 This policy does not limit or exclude any liability GeiG may have under data-protection law (including potential ICO enforcement) where such limitation or exclusion is not permitted.

15.0 Researcher Responsibilities
15.1 You must comply with applicable laws, including the Computer Misuse Act 1990, UK GDPR/PECR, export controls/sanctions, and any mandatory restrictions.
15.2 If you are subject to UK/US trade sanctions or are located in embargoed jurisdictions, you must not participate in testing GeiG assets.
15.3 Do not publicly disclose details without coordination per 12.0.

16.0 Remediation Credit and Hall of Fame
16.1 Where we provide recognition, it will be after verification and fix.
16.2 At your request, we will credit your name or handle, or keep you anonymous.

17.0 Administration and Contacts
17.1 Contact: support@geig.co.uk (operated by Computerko Limited for GeiG); 24/7 web chat for triage; /.well-known/security.txt for policy metadata.
17.2 Governing law and jurisdiction: England and Wales.
17.3 Review cycle: this policy is reviewed at least annually. The latest version controls.

End of Security & Vulnerability Disclosure Policy (v1.1)