Security Policy

Last updated: March 2026

Reporting a vulnerability

If you believe you have found a security vulnerability in any Moored Solutions system, please report it to us by emailing jamie-crisp@mooredsolutions.com. We take all reports seriously and will investigate promptly.

Please do not report security vulnerabilities via blog posts or social media.

What to include in your report

  • A description of the vulnerability and its potential impact
  • The affected URL, endpoint, or component
  • Step-by-step instructions to reproduce the issue
  • Any proof-of-concept code, screenshots, or recordings
  • Your assessment of severity (if known)

The more detail you provide, the faster we can triage and resolve the issue.

Scope

The following systems are in scope:

  • app.mooredsolutions.com — the main application

Out of scope

The following are out of scope and should not be tested:

  • Denial of service attacks
  • Social engineering or phishing of staff or customers
  • Physical access attacks
  • Automated scanning without prior approval
  • Attacks against third-party services (Stripe, Postmark, Twilio, etc.)
  • Vulnerabilities in third-party libraries without a demonstrated exploit
  • Missing security headers with no demonstrated impact
  • Self-XSS or issues that require unlikely user actions to exploit

What to expect

  • Acknowledgment — we aim to acknowledge your report within 24 hours
  • Triage — we will assess severity and confirm whether the issue is reproducible within 10 business days
  • Resolution — critical and high severity issues will be prioritised for immediate patching; we will keep you informed of progress
  • Credit — with your permission, we will acknowledge your contribution once the issue is resolved

We do not currently offer a monetary bug bounty programme.

Responsible disclosure

We ask that you give us reasonable time to investigate and remediate the issue before any public disclosure. We request a minimum of 90 days from initial report before publishing details of the vulnerability. We will work with you to agree a disclosure timeline if needed.

We will not take legal action against researchers who discover and report vulnerabilities in good faith, provided they comply with this policy and do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability.

PGP key

For sensitive reports, you may encrypt your email using our PGP public key.