← Back to Home

Responsible Disclosure Policy

Last Updated: October 16, 2025

1. Our Commitment

TestCorp is committed to working with security researchers to verify, reproduce, and respond to legitimate vulnerability reports. We pledge to:

• Acknowledge receipt of vulnerability reports promptly
• Provide regular updates on our progress
• Work to remediate verified vulnerabilities in a timely manner
• Recognize researchers who report vulnerabilities responsibly
• Not pursue legal action against researchers who follow this policy

2. Scope

2.1 In Scope

This policy applies to vulnerabilities discovered in:

• TestCorp's primary website and web applications (*.testcorpltd.com)
• Client-facing portals and services operated by TestCorp
• TestCorp's API endpoints
• TestCorp's mobile applications (if applicable)
• TestCorp's cloud infrastructure and services

2.2 Out of Scope

The following are NOT covered by this policy:

• Third-party services or websites not controlled by TestCorp
• Client systems, networks, or applications (report these to the respective client)
• Social engineering attacks targeting TestCorp employees
• Physical security vulnerabilities of our offices
• Denial of Service (DoS/DDoS) attacks
• Spam or social engineering techniques

3. Safe Harbor

TestCorp considers security research conducted in accordance with this policy as:

• Authorized under the Computer Misuse Act 1990
• Legitimate activity for improving security
• Exempt from legal action by TestCorp

4. Rules of Engagement

4.1 Permitted Activities

You may:

• Test security controls in a manner that does not degrade our services
• Use publicly available tools and techniques
• Attempt to exploit vulnerabilities to verify their existence
• Access your own test accounts or data

4.2 Prohibited Activities

You must NOT:

• Access, modify, delete, or store data belonging to others
• Execute Denial of Service (DoS/DDoS) attacks
• Send unsolicited communications (spam, phishing) to users or employees
• Exploit vulnerabilities for personal gain or financial benefit
• Conduct physical attacks against our facilities or personnel
• Conduct social engineering attacks against employees or contractors
• Violate privacy or data protection laws
• Disrupt or degrade our services or user experience
• Publicly disclose vulnerabilities before we have had reasonable time to address them

5. Reporting Guidelines

5.1 How to Report

5.2 What to Include in Your Report

Please provide as much detail as possible:

• Vulnerability Type: (e.g., XSS, SQL Injection, Authentication Bypass)
• Affected URL/Endpoint: Specific location of the vulnerability
• Proof of Concept: Step-by-step instructions to reproduce
• Impact Assessment: Your analysis of the potential security impact
• Suggested Remediation: (Optional) Your recommendations for fixing the issue
• Discovery Date: When you discovered the vulnerability
• Your Contact Information: Name/handle and email address
• Supporting Materials: Screenshots, videos, or code samples (if applicable)

5.3 Encrypted Reporting

For sensitive vulnerabilities, we strongly recommend using PGP encryption. This protects both you and us by ensuring vulnerability details are not intercepted.

6. Our Response Process

6.1 Timeline

1. Initial Response: Within 48 hours of report submission
2. Triage: Within 5 business days, we will assess severity and validity
3. Status Updates: Every 7-14 days until resolution
4. Resolution: Timeframe depends on severity:
   • Critical: 7-14 days
   • High: 30 days
   • Medium: 60 days
   • Low: 90 days
5. Disclosure: Coordinated public disclosure (if applicable) after remediation

6.2 Communication

We will:

• Confirm receipt of your report within 48 hours
• Provide our initial assessment of severity and validity
• Keep you informed throughout the remediation process
• Notify you when the vulnerability has been resolved
• Coordinate with you on any public disclosure

7. Vulnerability Severity Classification

Critical Severity

• Remote code execution on production systems
• SQL injection allowing data extraction or modification
• Authentication bypass affecting all users
• Direct access to sensitive client data

High Severity

• Cross-Site Scripting (XSS) with significant impact
• Cross-Site Request Forgery (CSRF) on sensitive operations
• Privilege escalation vulnerabilities
• Information disclosure of credentials or tokens

Medium Severity

• XSS with limited impact
• Information disclosure of non-sensitive data
• Security misconfigurations with exploitable impact
• Subdomain takeover vulnerabilities

Low Severity

• Missing security headers with minimal impact
• Information disclosure with no direct exploit path
• Issues requiring significant user interaction or social engineering

8. Recognition

We appreciate security researchers who help us improve our security posture. With your permission, we offer:

• Public Acknowledgment: Recognition on our security acknowledgments page
• Reference Letter: Professional reference letter for significant findings
• CVE Assignment: Assistance with CVE assignment where appropriate

Note: TestCorp does not currently offer a bug bounty program, but we may provide recognition and thanks for valuable contributions to our security.

9. Disclosure Policy

9.1 Coordinated Disclosure

We believe in coordinated disclosure. Please:

• Allow us reasonable time to remediate vulnerabilities before public disclosure
• Coordinate with us on disclosure timing and content
• Redact any sensitive information from public disclosures

9.2 Public Disclosure Timeline

• We aim to remediate critical vulnerabilities within 14 days
• If we cannot meet remediation timelines, we will communicate openly about delays
• After 90 days, researchers may proceed with public disclosure at their discretion
• Earlier disclosure may be appropriate if the vulnerability is being actively exploited

10. Legal Considerations

10.1 UK Legal Framework

This policy is designed to comply with:

• Computer Misuse Act 1990: Authorizing security research activities
• Data Protection Act 2018: Protecting personal data discovered during research
• Regulation of Investigatory Powers Act 2000: Lawful interception considerations

10.2 Data Protection

If you discover personal data during your research:

• Do not access, download, modify, or store the data
• Report the vulnerability immediately
• Provide only the minimum information necessary to demonstrate the issue
• Delete any inadvertently accessed data immediately

11. Out of Scope Issues

While we appreciate all reports, the following are typically considered out of scope:

• Missing security headers with no demonstrated impact
• Clickjacking on pages with no sensitive actions
• Issues requiring physical access to user devices
• Vulnerabilities requiring MITM or physical network access
• Social engineering reports without technical vulnerability
• Reports from automated tools without validation
• Issues in third-party libraries or frameworks (report to the vendor)
• Theoretical vulnerabilities without proof of concept

12. Questions and Feedback

If you have questions about this policy or need clarification on scope, please contact:

Security Team
Email: security@testcorpltd.com

We welcome feedback on this policy and will update it periodically to reflect best practices and community input.

13. Additional Resources

• NCSC Vulnerability Reporting Guidance
• ISO/IEC 29147:2018 - Vulnerability Disclosure
• Disclose.io - Industry Standard

14. Contact Information

TestCorp Ltd
Kingfisher House
21-23 Elmfield Road
Bromley, Kent
BR1 1LT
United Kingdom

Security Email: security@testcorpltd.com
General Email: admin@testcorpltd.com
Phone: +44 203 9965998