Advanced Informatics
  • Home
  • What We Do
  • Contact
  • Get in Touch

Vulnerability Disclosure Policy

How to report a security vulnerability you have found in one of our systems, and how we will handle your report.

Version 1.6 - last updated 2 July 2026

Advanced Informatics Ltd ("Advanced Informatics", "we", "us", "our") takes the security of its systems and the data entrusted to it seriously. We welcome reports from security researchers and members of the public about vulnerabilities they have identified in our systems. This policy sets out what is in scope, how to report a vulnerability, the protections we offer good-faith researchers, and how we will respond.

Contents

  1. Purpose and scope
  2. In-scope systems
  3. Out-of-scope systems and conduct
  4. Safe harbour and authorisation
  5. How to report a vulnerability
  6. Acknowledgement, triage, and remediation timelines
  7. Confidentiality
  8. Coordinated disclosure
  9. Recognition
  10. Legal
  11. Standards alignment

1. Purpose and scope

1.1 Advanced Informatics Ltd takes the security of its systems and the data entrusted to it seriously. We welcome reports from security researchers and members of the public about vulnerabilities they have identified in our systems.

1.2 This policy:

  • Sets out the systems that are in scope and out of scope for vulnerability reporting;
  • Describes how to report a vulnerability;
  • Sets out the limited authorisation we give to good-faith security research on our in-scope systems, and the conduct that puts a researcher outside that authorisation;
  • Sets out the timescales within which Advanced Informatics will acknowledge, triage, and respond to a report;
  • Sets out our approach to coordinated disclosure.

1.3 This policy applies to Advanced Informatics Ltd as a corporate entity. It does not apply to vulnerabilities in client systems we do not own or operate, or in third-party services we use (for those, please report to the respective provider directly - see paragraph 4.4).

1.4 This policy is aligned with ISO/IEC 29147:2018 (Vulnerability disclosure), ISO/IEC 30111:2019 (Vulnerability handling processes), the UK National Cyber Security Centre's Vulnerability Disclosure Toolkit, and RFC 9116 (security.txt).

2. In-scope systems

2.1 The following Advanced Informatics-owned and Advanced Informatics-operated assets are in scope for good-faith security research under this policy:

  • The website at https://advancedinformatics.co.uk and its subdomains operated by Advanced Informatics;
  • The corporate email domain advancedinformatics.co.uk (for issues such as missing or weak SPF, DKIM, or DMARC, or for receiving phishing samples that impersonate the domain);
  • Any other system that Advanced Informatics has explicitly designated as in scope and listed at https://advancedinformatics.co.uk/security/ at the time of testing.

2.2 The list of in-scope assets may be updated from time to time. The version published on the website at the time of testing is authoritative. Under RFC 9116 a security.txt file applies only to the host from which it is retrieved, not to that host's subdomains; Advanced Informatics publishes security.txt on each in-scope host where practicable, but a subdomain operated by Advanced Informatics remains in scope by virtue of this policy and the in-scope list at https://advancedinformatics.co.uk/security/ even where it does not carry its own security.txt.

2.3 Where an in-scope Advanced Informatics system is hosted on third-party infrastructure, the authorisation in this policy extends only to the Advanced Informatics application layer and configuration, and not to the underlying platform, which is out of scope under paragraph 3.1.

3. Out-of-scope systems and conduct

3.1 The following systems are explicitly out of scope. Research, testing, or attempted exploitation of these systems is not authorised by this policy:

  • Systems owned or operated by Advanced Informatics' clients (including any system reached via a client link or client tenant);
  • Systems owned or operated by Advanced Informatics' suppliers, sub-processors, or other third parties (Microsoft 365, Google Workspace, GitHub, Cloudflare, our banking and accounting providers, and any other supplier listed in the Supplier Register or otherwise) - vulnerabilities in these services should be reported to the relevant provider's own disclosure channel;
  • Production environments hosting client data;
  • The personal devices, accounts, or networks of any director, employee, or contractor of Advanced Informatics.

3.2 The following types of activity are out of scope under this policy and are not authorised, regardless of the system targeted:

  • Denial-of-service attacks, including, without limitation, volumetric, protocol, application-layer, or resource-exhaustion attacks; load testing; or any testing that is reasonably likely to degrade availability for other users;
  • Physical attacks against any premises, person, or device;
  • Social engineering of any director, employee, contractor, supplier, or client of Advanced Informatics, including phishing, vishing, smishing, pretexting, or in-person manipulation;
  • Accessing, downloading, modifying, deleting, or exfiltrating data that does not belong to the researcher (including personal data of any data subject, Advanced Informatics intellectual property, and Advanced Informatics or client confidential information) beyond the minimum necessary to demonstrate the existence of the vulnerability;
  • Persisting access beyond the time needed to identify and demonstrate the vulnerability;
  • Lateral movement, privilege escalation beyond the level needed to demonstrate impact, or pivoting to systems outside the in-scope list;
  • Brute-force or credential-stuffing attacks, including against authentication endpoints;
  • Spamming any Advanced Informatics address or system;
  • Any activity that breaches applicable law (including the Computer Misuse Act 1990, the Investigatory Powers Act 2016, the Data Protection Act 2018, and the UK General Data Protection Regulation (the UK GDPR, being Regulation (EU) 2016/679 as it forms part of the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018) in the United Kingdom), or any activity outside the safe-harbour scope in section 4.

3.2A Researchers based outside the United Kingdom remain responsible for compliance with their own local law. In Ireland, the relevant statute is the Criminal Justice (Offences Relating to Information Systems) Act 2017.

3.3 The following finding types are typically not treated as security vulnerabilities under this policy and may be closed without remediation, although they will still be acknowledged:

  • Missing security headers (e.g. Content-Security-Policy, X-Content-Type-Options) on pages that do not handle sensitive functions, where there is no demonstrable security impact;
  • Self-XSS or other findings requiring an attacker to first compromise the victim's browser;
  • Output of automated scanners with no demonstrated impact;
  • Reports of weak ciphers or protocols on services that do not handle authenticated sessions or sensitive data;
  • Findings that depend on a vulnerable browser, an end-of-life operating system, or a compromised endpoint;
  • Theoretical findings without a working proof of concept;
  • Reports about email security configuration (SPF, DKIM, DMARC, BIMI) that are limited to absence of a non-mandatory record;
  • Reports about rate limiting or CAPTCHA absence on endpoints that have no security-sensitive function.

4. Safe harbour and authorisation

4.1 Advanced Informatics will not pursue, support, or encourage any civil proceedings or criminal prosecution, and will not report to law enforcement, any researcher who, in good faith, complies with this policy in researching and reporting a vulnerability in an in-scope system, even where that research would otherwise involve activity caught by sections 1, 2, 3, 3ZA, or 3A of the Computer Misuse Act 1990, the Investigatory Powers Act 2016, or the Copyright, Designs and Patents Act 1988, or related civil claims that Advanced Informatics could otherwise bring. This safe harbour is given under the law of England and Wales; researchers in other jurisdictions remain responsible for compliance with their own local law.

4.2 The authorisation in paragraph 4.1 is given by Advanced Informatics in respect of itself only. It does not bind any other person and does not grant authorisation in respect of any third-party system. Advanced Informatics cannot grant authorisation under criminal law (only the relevant prosecuting authority can decide whether to prosecute). What Advanced Informatics undertakes is that it will not itself initiate, support, or encourage a prosecution against a researcher who has complied with this policy in good faith, and will, on request, confirm to a prosecutor or court that the research was authorised under this policy.

4.3 The safe harbour in paragraph 4.1 applies only where the researcher:

  • Has tested only systems within the in-scope list in section 2;
  • Has not engaged in any out-of-scope activity in section 3.2;
  • Has accessed only the minimum data necessary to demonstrate the vulnerability;
  • Has not retained, copied, transferred, or published any Advanced Informatics or third-party data accessed in the course of the research, beyond what is needed for the report itself, and has securely destroyed any such data on the earlier of (i) confirmation of remediation by Advanced Informatics or (ii) ninety days from the date of the report;
  • Has reported the vulnerability to Advanced Informatics through the channel in section 5;
  • Has given Advanced Informatics a reasonable opportunity to remediate before any public disclosure (see section 8);
  • Has complied with the UK GDPR or, where applicable, the EU GDPR (Regulation (EU) 2016/679), in handling any personal data the researcher incidentally processes during the research. The researcher is independently responsible as a controller for any such processing.

4.3A If a researcher inadvertently accesses personal data or other sensitive information beyond what is necessary to demonstrate the vulnerability, they should stop immediately, not download, copy, or further access that data, record only what is needed to describe the issue, and tell Advanced Informatics promptly in their report so that Advanced Informatics can assess any obligation it has under Articles 33 and 34 of the UK GDPR (or, as applicable, the EU GDPR). Following this step is treated as compliance with this policy, not a breach of it.

4.4 If a researcher believes they have identified a vulnerability in a third-party service that affects Advanced Informatics or its clients, they should report it to the third-party provider's own vulnerability disclosure programme. They may also notify Advanced Informatics through the channel in section 5; we will coordinate with the provider where appropriate.

4.4A Where a reported vulnerability affects an Advanced Informatics client, or requires a fix from a supplier or sub-processor, Advanced Informatics will coordinate disclosure and remediation in line with ISO/IEC 30111:2019, notify any affected client without undue delay where the Incident Response Plan or a Data Processing Agreement requires, and keep the researcher informed of any timeline changes that result.

4.5 Nothing in this policy authorises a researcher to act in breach of any obligation owed to a third party (for example, the terms of service of a hosting provider used by Advanced Informatics). Compliance with such third-party obligations is the responsibility of the researcher.

5. How to report a vulnerability

5.1 Reports should be sent to:

  • Email: security@advancedinformatics.co.uk
  • Encryption (optional but preferred for sensitive reports): if you would like to encrypt your report, ask us for our PGP key at the email address above and we will provide the current key fingerprint and key file.

5.2 Please include in the report, as far as is reasonably possible:

  • A description of the vulnerability and the system it affects;
  • The steps to reproduce, with timestamps where relevant;
  • The potential impact (confidentiality, integrity, availability, or other);
  • Any proof-of-concept code, screenshots, or HTTP request / response captures necessary to demonstrate the issue;
  • The researcher's name and preferred contact details (a pseudonym is acceptable; we do not require government-verified identity, although we may ask for verification if the report is high-impact and we need to reach the researcher reliably);
  • Whether the researcher wishes to be acknowledged in any subsequent advisory (see section 9);
  • An indication of whether the researcher intends to publish the finding, and if so on what timeline (see section 8).

5.3 We accept reports in English. We do not accept reports submitted via social media direct message, public posts on social platforms, or unsolicited LinkedIn messages.

5.4 We do not currently operate a managed bug bounty platform (e.g. HackerOne, Bugcrowd, Intigriti). Reports submitted via such platforms about Advanced Informatics will not have been routed to us; please use the channel above.

6. Acknowledgement, triage, and remediation timelines

6.1 The Incident Response Plan governs handling of any vulnerability report that turns out to be a confirmed live incident affecting Advanced Informatics or its clients. The timelines below are for handling the report itself.

6.2 Target timelines:

Stage Target Notes
Acknowledgement 2 business days from receipt Confirms the report was received and assigns a tracking reference.
Initial triage 5 business days from receipt Confirms whether the report is in scope, validates the vulnerability, and assigns a severity.
Severity-based response See paragraph 6.4 Sets the target remediation window.
Status updates At least every 14 calendar days while the report is open More frequent for Critical or High severity.
Closure notification Within 5 business days of remediation Confirms remediation, the fix that was applied, and any acknowledgement (section 9).

6.3 We use the Common Vulnerability Scoring System (CVSS), currently version 4.0 published by FIRST in November 2023, to assist with severity scoring, supplemented by a contextual judgement that takes account of exploitability, the sensitivity of any data potentially exposed, and the reachability of the vulnerable surface. Where a researcher provides a CVSS v3.1 score we will accept it and convert as needed. The qualitative severity bands at paragraph 6.4 are unchanged between v3.1 and v4.0.

6.4 Target remediation windows:

Severity Indicative CVSS base score Target remediation window
Critical 9.0-10.0 7 calendar days
High 7.0-8.9 30 calendar days
Medium 4.0-6.9 90 calendar days
Low 0.1-3.9 Best effort, typically next planned release cycle

6.5 Remediation windows run from the date Advanced Informatics validates the vulnerability. If the window cannot be met for genuine engineering reasons (for example, a fix requires a coordinated upstream patch from a supplier), we will explain why and agree a revised target with the researcher. On remediation, Advanced Informatics may, with the researcher's agreement, invite the researcher to re-test the specific reported issue to confirm the fix; any such re-test of the original finding on an in-scope system is within the authorisation and safe harbour in section 4.

7. Confidentiality

7.1 Advanced Informatics will treat the content of any vulnerability report as confidential to Advanced Informatics, the researcher, and (to the extent strictly necessary to triage and remediate) any supplier or sub-processor whose system is implicated.

7.2 We will not share the researcher's name, contact details, or any identifying information with anyone outside Advanced Informatics without the researcher's prior consent, except where required by law (for example, in response to a court order or a properly issued regulatory request) or where the report itself reveals an active criminal offence that requires reporting to law enforcement.

7.3 Any personal data of the researcher (within the meaning of Article 4(1) of the UK GDPR) provided in the course of a report is processed under our Privacy Notice. The lawful basis is Article 6(1)(f) of the UK GDPR (legitimate interests), as expressly recognised in Recital 49 of the GDPR and codified for the United Kingdom by Article 6(11)(c) of the UK GDPR (inserted by section 70(4) of the Data (Use and Access) Act 2025, in force 5 February 2026 by SI 2026/82), which lists processing necessary for ensuring the security of network and information systems as an example of processing that may constitute a legitimate interest under Article 6(1)(f). The processing is not a "recognised legitimate interest" under Annex 1 of the UK GDPR (inserted by Schedule 4 of the Data (Use and Access) Act 2025), so the balancing test continues to apply. The legitimate interest is the operation of a vulnerability disclosure programme to protect Advanced Informatics' systems and the data entrusted to us; Advanced Informatics has carried out a legitimate-interests assessment, which is held internally and is available to the Information Commissioner's Office on request. For researchers based in the European Economic Area, the corresponding lawful basis is Article 6(1)(f) of the EU GDPR (Regulation (EU) 2016/679). The retention period for vulnerability reports is six years from closure, aligned with the Data Retention Schedule entry for security incidents and consistent with the limitation period under the Limitation Act 1980. Researchers may exercise their data subject rights under Articles 15 to 22 of the UK GDPR (or, as applicable, the EU GDPR) by contacting dataprotection@advancedinformatics.co.uk.

8. Coordinated disclosure

8.1 Advanced Informatics asks researchers to allow us a reasonable opportunity to remediate before publishing details of a vulnerability. Our default coordinated-disclosure window is ninety days from validated triage, subject to the following:

  • For Critical or High severity issues, the window may be shortened by mutual agreement once a fix is deployed and verified;
  • For Medium or Low severity issues, the window may be extended by mutual agreement where remediation is genuinely complex, with status updates as in paragraph 6.2;
  • If a vulnerability is being actively exploited in the wild, we will work to a substantially shorter window and will coordinate publication with the researcher.

8.2 We will not seek to indefinitely suppress publication of a finding. If a report is closed as out of scope or as a "won't fix" duplicate or known limitation, we will say so to the researcher, and the researcher is then free to publish the finding, subject always to the researcher's continuing obligations under section 4 - in particular not publishing any personal data, Advanced Informatics or client confidential information, or third-party data accessed during the research, and complying with the UK GDPR or EU GDPR as applicable.

8.3 We expect researchers, as a condition of the safe harbour in section 4, not to publish before the agreed coordinated-disclosure date and not to disclose technical detail of an unpatched vulnerability to any third party other than the researcher's own legal or technical advisers under appropriate confidentiality. Where a researcher believes Advanced Informatics is failing to act on a confirmed vulnerability, we ask the researcher to escalate to directors@advancedinformatics.co.uk before publishing.

9. Recognition

9.1 Advanced Informatics does not currently pay monetary bounties for vulnerability reports.

9.2 We are happy to publicly acknowledge researchers whose reports lead to a confirmed remediation, on a Researcher Acknowledgements page at https://advancedinformatics.co.uk/security/, on request and with the researcher's consent. The acknowledgement will record (at the researcher's choice) name or pseudonym, a brief description of the finding, and the date of remediation.

9.3 Where a researcher has materially helped Advanced Informatics avoid a serious incident, the directors may at their discretion offer a discretionary recognition (for example, a written reference, a written letter of thanks, or a token of appreciation). This is not a bounty and is not contractually owed.

10. Legal

10.1 This policy is a public statement of how Advanced Informatics handles vulnerability reports. It is not a contract and does not give rise to enforceable rights against Advanced Informatics, except to the limited extent that the safe-harbour undertaking in paragraph 4.1 may, depending on the circumstances, give rise to a defence or estoppel against Advanced Informatics in proceedings it might otherwise bring against a researcher who complied with this policy in good faith.

10.2 This policy is governed by the laws of England and Wales. Any dispute arising under it is subject to the non-exclusive jurisdiction of the courts of England and Wales. Nothing in this paragraph prevents Advanced Informatics or a researcher from invoking any mandatory protection of the researcher's local law that cannot be derogated from by agreement.

10.3 Advanced Informatics may amend this policy at any time. The version published at https://advancedinformatics.co.uk/security/ at the time a researcher conducts research is the version that applies to that research.

11. Standards alignment

Standard How this policy aligns
ISO/IEC 29147:2018 (Vulnerability disclosure) Sections 2-5, 7-9 (receiving, handling, and disclosing reports).
ISO/IEC 30111:2019 (Vulnerability handling processes) Sections 6, 8 (triage and remediation lifecycle).
RFC 9116 (security.txt) Section 5 (reporting channel) - referenced from https://advancedinformatics.co.uk/.well-known/security.txt.
NCSC Vulnerability Disclosure Toolkit (UK), version 2 (current) Whole document - safe harbour, scope, communication, timelines.
NIS Cooperation Group, Coordinated Vulnerability Disclosure: Good Practice Guide Sections 4, 8 (coordinated disclosure approach).
IASME Cyber Assurance Theme 6 (Operational management). The policy supports IASME questions on monitoring and managing security weaknesses.
Cyber Essentials Plus Whole document - supports the patch-management and security-update controls by providing an additional channel through which previously unknown vulnerabilities can be raised.
Advanced Informatics

Enterprise software for complex operational businesses.

Company

  • What We Do
  • Contact

Capabilities

  • Platform Development
  • System Integration
  • Cloud Architecture
  • AI & Data
© 2026 Advanced Informatics Ltd. All rights reserved. Privacy & Cookie Policy Terms of Use Security

Advanced Informatics Ltd is registered in England and Wales, company number 11479544. Registered office: 58 Tamworth Road, Long Eaton, Nottingham, Derbyshire, NG10 3LW.