/ Legal & compliance
Vulnerability Disclosure Policy
Clear information about how Secremedy operates, protects data, and works with customers.
Effective 14 July 2026
How to report
Email [email protected] with the affected URL or system, a clear description, reproducible steps, impact and a safe way to contact you. Do not include unnecessary personal data, credentials or live exploit material in ordinary email.
Good-faith research
Keep testing limited to systems clearly owned by Secremedy and publicly in scope. Stop if you access personal data, customer data, credentials or cause service degradation. Do not use denial of service, social engineering, phishing, malware, physical attacks, destructive techniques, persistence, data exfiltration or third-party systems.
What we ask
- Make a reasonable effort to avoid privacy violations and disruption.
- Use the minimum proof needed and delete retained data securely.
- Give us a reasonable opportunity to investigate and remediate before public disclosure.
- Do not demand payment or threaten disclosure.
What you can expect
We aim to acknowledge a credible report within five working days, provide a tracking contact, investigate proportionately and keep you informed where possible. Timelines vary with severity and complexity. We do not promise a reward.
Safe harbour
Where research is good-faith, lawful and follows this policy, we will not initiate legal action solely for that research. This statement cannot authorise conduct involving third parties or override applicable law.