Vulnerability Disclosure Policy

Last updated: 6 March 2026

BEWKD LTD - Company number: 17121655

Bewkd values responsible security research and welcomes reports of vulnerabilities that may affect our systems, services, or users.

If you believe you have discovered a security issue, please report it to us privately so we can investigate and address it promptly.

How to report a vulnerability

Please email all reports to:

security@bewkd.com

Include as much detail as possible:

  • a clear description of the issue
  • steps to reproduce
  • affected URL, page, feature, or endpoint
  • proof of concept, screenshots, or sample requests where appropriate
  • any assessment of potential impact

What we ask from researchers

When testing or reporting issues, you must:

  • act in good faith
  • avoid privacy violations, data destruction, or service disruption
  • avoid accessing, modifying, or deleting data that does not belong to you
  • avoid social engineering, phishing, or physical attacks
  • avoid spam, denial of service, or brute force activity
  • give us a reasonable amount of time to investigate and remediate before public disclosure

Safe testing guidelines

The following types of testing are generally allowed, provided they are performed carefully and in good faith:

  • identifying client-side vulnerabilities
  • identifying authentication or authorization weaknesses
  • identifying exposed configuration issues
  • testing for common web vulnerabilities without causing disruption

Out of scope

The following are not permitted under this policy:

  • denial of service or resource exhaustion testing
  • spam or unsolicited messages
  • social engineering of staff, contractors, or customers
  • physical security attacks
  • attacks against third-party services used by Bewkd
  • automated scanning that materially affects service performance
  • attempts to access or exfiltrate customer or employee data
  • vulnerability reports based solely on missing best-practice headers without a demonstrable security impact

Our commitment

When you submit a report in good faith, Bewkd will:

  • acknowledge receipt of your report
  • review and validate the issue
  • work to remediate confirmed vulnerabilities in a reasonable timeframe
  • keep you informed where appropriate

Response targets

Our target response times are:

  • acknowledgment within 3 business days
  • initial triage within 5 business days
  • remediation timing based on severity and complexity

These targets are goals, not guarantees.

No bug bounty

Bewkd does not currently operate a paid bug bounty programme unless explicitly stated otherwise.

Legal safe harbour

If you act in good faith, follow this policy, avoid harming users or services, and report issues privately to Bewkd, we will not pursue legal action against you for your research.

Public disclosure

Please do not publicly disclose a vulnerability until Bewkd has had a reasonable opportunity to investigate and remediate the issue.

Contact

For all vulnerability reports and security questions:

security@bewkd.com