Vulnerability Disclosure Policy
We welcome reports from security researchers and members of the public who identify potential vulnerabilities in our systems. This policy outlines how to report and what to expect.
Last Updated: April 30, 2026
Purpose
PricePress takes the security of its platform and customer data seriously. We welcome reports from security researchers and members of the public who identify potential vulnerabilities in our systems. This policy outlines how to report security issues and what you can expect from us when you do.
Scope
In scope
- The PricePress production application: thepricepress.com and its subdomains owned by PricePress Limited
- The PricePress API endpoints accessible from the application
- The PricePress public marketing site
- Issues affecting customer authentication, authorisation, data isolation, or session security
- Cryptographic weaknesses in PricePress-controlled cryptographic operations
Out of scope
- Third-party infrastructure providers and external data sources we consume — please report directly to those providers
- Third-party services we link to but do not control
- Social engineering of PricePress personnel or customers
- Physical security testing
- Denial of Service (DoS / DDoS) attacks
- Spam, mass-message attacks, or volumetric abuse
- Issues requiring physical access to a victim's device or network
- Vulnerabilities requiring an unrooted/unjailbroken device
- Outdated TLS configurations on third-party domains, or theoretical risks without demonstrated impact
- Self-XSS, clickjacking on pages without sensitive actions, missing security headers without demonstrated impact
- Use of known-vulnerable libraries without a working proof-of-concept that affects PricePress users
How to report a vulnerability
Send your report to security@thepricepress.com.
Please include
- A clear description of the vulnerability
- Steps to reproduce, including any required preconditions
- The potential impact, in your assessment
- Any relevant screenshots, logs, or proof-of-concept code
- Your contact information for follow-up
- Whether you would like to be credited publicly when the issue is resolved
Optional but appreciated
- A suggested fix or mitigation
- Indication of whether the issue has been disclosed elsewhere
- A PGP public key if you would like our reply encrypted (request the corresponding fingerprint via email)
What to expect from us
When you submit a report in good faith and within the scope of this policy:
Acknowledgement within 5 business days
We will confirm receipt and begin triage.
Status updates at meaningful intervals
We will let you know when triage is complete, when a fix is in development, and when it is deployed.
A direct point of contact
For any clarifying questions during the investigation.
No legal action against you
For any good-faith research that complies with this policy (see Safe Harbour below).
Credit on resolution
With your permission. We maintain a Hall of Fame on this page.
A genuine thank you
We appreciate the time and skill you put into this work.
We do not currently operate a paid bug bounty program. Recognition is via Hall of Fame credit and our genuine gratitude.
Safe Harbour
PricePress will not pursue legal action against, or report to law enforcement, any researcher who:
- Acts in good faith and complies with this policy.
- Avoids privacy violations, destruction of data, and disruption of the Service.
- Accesses only the minimum data necessary to demonstrate the vulnerability — the researcher’s own test account or with the explicit consent of the account owner.
- Stops testing immediately upon discovery and reports promptly.
- Does not exploit the vulnerability beyond what is necessary to confirm its existence.
- Does not publicly disclose the vulnerability before PricePress has had a reasonable opportunity to remediate it (typically 90 days from initial report).
If you are uncertain whether a specific test action falls within scope, contact us at security@thepricepress.com before conducting the test.
This policy is intended to align with the principles of the U.S. Computer Fraud and Abuse Act authorised-access framework as interpreted by Van Buren v. United States (2021) and the public-data principles of hiQ Labs, Inc. v. LinkedIn Corp. (2022). It is also intended to align with similar good-faith research principles in Jersey, the United Kingdom, and the European Union.
This policy is not a license to access data belonging to other PricePress customers. Any access to such data, even inadvertent, must be reported immediately and the data must not be retained, disclosed, or used.
Public disclosure
We support coordinated disclosure. The expected pattern:
- You report the vulnerability to us.
- We confirm and remediate, typically within 90 days for non-critical issues, sooner for high-severity issues.
- After the fix is deployed, you and we agree on a public-disclosure timeline.
- Where appropriate, we publish a brief advisory crediting your work (with your permission).
If a vulnerability is being actively exploited or otherwise warrants accelerated disclosure, please indicate this clearly in your report.
We ask that you do not publicly disclose the vulnerability before remediation without first agreeing a timeline with us. If 90 days have passed without remediation and the issue is still open, please contact us to discuss disclosure timing.
Hall of Fame
This wall is waiting for its first name
Spot a security issue? Report it via the policy above and you’ll be the first researcher credited here — with our genuine thanks and a permanent place on this page.
Be the firstOut-of-band communications
For sensitive coordination beyond email, we are open to:
- Encrypted email (PGP key provided on request)
- Signal or another secure messenger, by mutual agreement
We do not use third-party bug bounty platforms at this time.
Contact
See also our Security & Trust page and Privacy Policy.