What You Can Expect
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, acting within this policy. We will treat your report as confidential and not share your identity without consent.
We offer public acknowledgement of confirmed findings to researchers who request it. We do not currently offer a paid bug bounty programme, though we may provide recognition through our public disclosure notes.
How It Works
Report
Submit your finding to contact@offcept.com with as much technical detail as possible. Encrypt sensitive submissions using our PGP key.
Acknowledgement
We will acknowledge receipt within 48 hours and assign a tracking reference. You will have a named point of contact throughout the process.
Assessment
Our team will validate the finding, assess severity, and determine remediation priority. We will keep you updated on our progress at least every 7 days.
Remediation
We will remediate confirmed vulnerabilities and notify you when the fix has been deployed. We aim to resolve critical issues within 30 days of confirmation.
Disclosure
We support coordinated public disclosure. If you wish to publish your findings, we ask for a minimum of 90 days from initial report to allow for remediation. We will credit researchers by name or handle, as preferred.
What to Test
- offcept.com and all subdomains
- OFFCEPT web applications and APIs
- OFFCEPT-controlled infrastructure
What to Avoid
- Social engineering attacks targeting OFFCEPT staff
- Denial of service or resource exhaustion attacks
- Physical security attacks
- Automated scanning without prior coordination
- Vulnerabilities in third-party services not under our control
- Theoretical vulnerabilities without demonstrated impact