How to report a security vulnerability you have found in one of our systems, and how we will handle your report.
Advanced Informatics Ltd ("Advanced Informatics", "we", "us", "our") takes the security of its systems and the data entrusted to it seriously. We welcome reports from security researchers and members of the public about vulnerabilities they have identified in our systems. This policy sets out what is in scope, how to report a vulnerability, the protections we offer good-faith researchers, and how we will respond.
1.1 Advanced Informatics Ltd takes the security of its systems and the data entrusted to it seriously. We welcome reports from security researchers and members of the public about vulnerabilities they have identified in our systems.
1.2 This policy:
1.3 This policy applies to Advanced Informatics Ltd as a corporate entity. It does not apply to vulnerabilities in client systems we do not own or operate, or in third-party services we use (for those, please report to the respective provider directly - see paragraph 4.4).
1.4 This policy is aligned with ISO/IEC 29147:2018 (Vulnerability disclosure), ISO/IEC 30111:2019 (Vulnerability handling processes), the UK National Cyber Security Centre's Vulnerability Disclosure Toolkit, and RFC 9116 (security.txt).
2.1 The following Advanced Informatics-owned and Advanced Informatics-operated assets are in scope for good-faith security research under this policy:
https://advancedinformatics.co.uk and its subdomains operated by Advanced Informatics;advancedinformatics.co.uk (for issues such as missing or weak SPF, DKIM, or DMARC, or for receiving phishing samples that impersonate the domain);https://advancedinformatics.co.uk/security/ at the time of testing.2.2 The list of in-scope assets may be updated from time to time. The version published on the website at the time of testing is authoritative. Under RFC 9116 a security.txt file applies only to the host from which it is retrieved, not to that host's subdomains; Advanced Informatics publishes security.txt on each in-scope host where practicable, but a subdomain operated by Advanced Informatics remains in scope by virtue of this policy and the in-scope list at https://advancedinformatics.co.uk/security/ even where it does not carry its own security.txt.
2.3 Where an in-scope Advanced Informatics system is hosted on third-party infrastructure, the authorisation in this policy extends only to the Advanced Informatics application layer and configuration, and not to the underlying platform, which is out of scope under paragraph 3.1.
3.1 The following systems are explicitly out of scope. Research, testing, or attempted exploitation of these systems is not authorised by this policy:
3.2 The following types of activity are out of scope under this policy and are not authorised, regardless of the system targeted:
3.2A Researchers based outside the United Kingdom remain responsible for compliance with their own local law. In Ireland, the relevant statute is the Criminal Justice (Offences Relating to Information Systems) Act 2017.
3.3 The following finding types are typically not treated as security vulnerabilities under this policy and may be closed without remediation, although they will still be acknowledged:
4.1 Advanced Informatics will not pursue, support, or encourage any civil proceedings or criminal prosecution, and will not report to law enforcement, any researcher who, in good faith, complies with this policy in researching and reporting a vulnerability in an in-scope system, even where that research would otherwise involve activity caught by sections 1, 2, 3, 3ZA, or 3A of the Computer Misuse Act 1990, the Investigatory Powers Act 2016, or the Copyright, Designs and Patents Act 1988, or related civil claims that Advanced Informatics could otherwise bring. This safe harbour is given under the law of England and Wales; researchers in other jurisdictions remain responsible for compliance with their own local law.
4.2 The authorisation in paragraph 4.1 is given by Advanced Informatics in respect of itself only. It does not bind any other person and does not grant authorisation in respect of any third-party system. Advanced Informatics cannot grant authorisation under criminal law (only the relevant prosecuting authority can decide whether to prosecute). What Advanced Informatics undertakes is that it will not itself initiate, support, or encourage a prosecution against a researcher who has complied with this policy in good faith, and will, on request, confirm to a prosecutor or court that the research was authorised under this policy.
4.3 The safe harbour in paragraph 4.1 applies only where the researcher:
4.3A If a researcher inadvertently accesses personal data or other sensitive information beyond what is necessary to demonstrate the vulnerability, they should stop immediately, not download, copy, or further access that data, record only what is needed to describe the issue, and tell Advanced Informatics promptly in their report so that Advanced Informatics can assess any obligation it has under Articles 33 and 34 of the UK GDPR (or, as applicable, the EU GDPR). Following this step is treated as compliance with this policy, not a breach of it.
4.4 If a researcher believes they have identified a vulnerability in a third-party service that affects Advanced Informatics or its clients, they should report it to the third-party provider's own vulnerability disclosure programme. They may also notify Advanced Informatics through the channel in section 5; we will coordinate with the provider where appropriate.
4.4A Where a reported vulnerability affects an Advanced Informatics client, or requires a fix from a supplier or sub-processor, Advanced Informatics will coordinate disclosure and remediation in line with ISO/IEC 30111:2019, notify any affected client without undue delay where the Incident Response Plan or a Data Processing Agreement requires, and keep the researcher informed of any timeline changes that result.
4.5 Nothing in this policy authorises a researcher to act in breach of any obligation owed to a third party (for example, the terms of service of a hosting provider used by Advanced Informatics). Compliance with such third-party obligations is the responsibility of the researcher.
5.1 Reports should be sent to:
5.2 Please include in the report, as far as is reasonably possible:
5.3 We accept reports in English. We do not accept reports submitted via social media direct message, public posts on social platforms, or unsolicited LinkedIn messages.
5.4 We do not currently operate a managed bug bounty platform (e.g. HackerOne, Bugcrowd, Intigriti). Reports submitted via such platforms about Advanced Informatics will not have been routed to us; please use the channel above.
6.1 The Incident Response Plan governs handling of any vulnerability report that turns out to be a confirmed live incident affecting Advanced Informatics or its clients. The timelines below are for handling the report itself.
6.2 Target timelines:
| Stage | Target | Notes |
|---|---|---|
| Acknowledgement | 2 business days from receipt | Confirms the report was received and assigns a tracking reference. |
| Initial triage | 5 business days from receipt | Confirms whether the report is in scope, validates the vulnerability, and assigns a severity. |
| Severity-based response | See paragraph 6.4 | Sets the target remediation window. |
| Status updates | At least every 14 calendar days while the report is open | More frequent for Critical or High severity. |
| Closure notification | Within 5 business days of remediation | Confirms remediation, the fix that was applied, and any acknowledgement (section 9). |
6.3 We use the Common Vulnerability Scoring System (CVSS), currently version 4.0 published by FIRST in November 2023, to assist with severity scoring, supplemented by a contextual judgement that takes account of exploitability, the sensitivity of any data potentially exposed, and the reachability of the vulnerable surface. Where a researcher provides a CVSS v3.1 score we will accept it and convert as needed. The qualitative severity bands at paragraph 6.4 are unchanged between v3.1 and v4.0.
6.4 Target remediation windows:
| Severity | Indicative CVSS base score | Target remediation window |
|---|---|---|
| Critical | 9.0-10.0 | 7 calendar days |
| High | 7.0-8.9 | 30 calendar days |
| Medium | 4.0-6.9 | 90 calendar days |
| Low | 0.1-3.9 | Best effort, typically next planned release cycle |
6.5 Remediation windows run from the date Advanced Informatics validates the vulnerability. If the window cannot be met for genuine engineering reasons (for example, a fix requires a coordinated upstream patch from a supplier), we will explain why and agree a revised target with the researcher. On remediation, Advanced Informatics may, with the researcher's agreement, invite the researcher to re-test the specific reported issue to confirm the fix; any such re-test of the original finding on an in-scope system is within the authorisation and safe harbour in section 4.
7.1 Advanced Informatics will treat the content of any vulnerability report as confidential to Advanced Informatics, the researcher, and (to the extent strictly necessary to triage and remediate) any supplier or sub-processor whose system is implicated.
7.2 We will not share the researcher's name, contact details, or any identifying information with anyone outside Advanced Informatics without the researcher's prior consent, except where required by law (for example, in response to a court order or a properly issued regulatory request) or where the report itself reveals an active criminal offence that requires reporting to law enforcement.
7.3 Any personal data of the researcher (within the meaning of Article 4(1) of the UK GDPR) provided in the course of a report is processed under our Privacy Notice. The lawful basis is Article 6(1)(f) of the UK GDPR (legitimate interests), as expressly recognised in Recital 49 of the GDPR and codified for the United Kingdom by Article 6(11)(c) of the UK GDPR (inserted by section 70(4) of the Data (Use and Access) Act 2025, in force 5 February 2026 by SI 2026/82), which lists processing necessary for ensuring the security of network and information systems as an example of processing that may constitute a legitimate interest under Article 6(1)(f). The processing is not a "recognised legitimate interest" under Annex 1 of the UK GDPR (inserted by Schedule 4 of the Data (Use and Access) Act 2025), so the balancing test continues to apply. The legitimate interest is the operation of a vulnerability disclosure programme to protect Advanced Informatics' systems and the data entrusted to us; Advanced Informatics has carried out a legitimate-interests assessment, which is held internally and is available to the Information Commissioner's Office on request. For researchers based in the European Economic Area, the corresponding lawful basis is Article 6(1)(f) of the EU GDPR (Regulation (EU) 2016/679). The retention period for vulnerability reports is six years from closure, aligned with the Data Retention Schedule entry for security incidents and consistent with the limitation period under the Limitation Act 1980. Researchers may exercise their data subject rights under Articles 15 to 22 of the UK GDPR (or, as applicable, the EU GDPR) by contacting dataprotection@advancedinformatics.co.uk.
8.1 Advanced Informatics asks researchers to allow us a reasonable opportunity to remediate before publishing details of a vulnerability. Our default coordinated-disclosure window is ninety days from validated triage, subject to the following:
8.2 We will not seek to indefinitely suppress publication of a finding. If a report is closed as out of scope or as a "won't fix" duplicate or known limitation, we will say so to the researcher, and the researcher is then free to publish the finding, subject always to the researcher's continuing obligations under section 4 - in particular not publishing any personal data, Advanced Informatics or client confidential information, or third-party data accessed during the research, and complying with the UK GDPR or EU GDPR as applicable.
8.3 We expect researchers, as a condition of the safe harbour in section 4, not to publish before the agreed coordinated-disclosure date and not to disclose technical detail of an unpatched vulnerability to any third party other than the researcher's own legal or technical advisers under appropriate confidentiality. Where a researcher believes Advanced Informatics is failing to act on a confirmed vulnerability, we ask the researcher to escalate to directors@advancedinformatics.co.uk before publishing.
9.1 Advanced Informatics does not currently pay monetary bounties for vulnerability reports.
9.2 We are happy to publicly acknowledge researchers whose reports lead to a confirmed remediation, on a Researcher Acknowledgements page at https://advancedinformatics.co.uk/security/, on request and with the researcher's consent. The acknowledgement will record (at the researcher's choice) name or pseudonym, a brief description of the finding, and the date of remediation.
9.3 Where a researcher has materially helped Advanced Informatics avoid a serious incident, the directors may at their discretion offer a discretionary recognition (for example, a written reference, a written letter of thanks, or a token of appreciation). This is not a bounty and is not contractually owed.
10.1 This policy is a public statement of how Advanced Informatics handles vulnerability reports. It is not a contract and does not give rise to enforceable rights against Advanced Informatics, except to the limited extent that the safe-harbour undertaking in paragraph 4.1 may, depending on the circumstances, give rise to a defence or estoppel against Advanced Informatics in proceedings it might otherwise bring against a researcher who complied with this policy in good faith.
10.2 This policy is governed by the laws of England and Wales. Any dispute arising under it is subject to the non-exclusive jurisdiction of the courts of England and Wales. Nothing in this paragraph prevents Advanced Informatics or a researcher from invoking any mandatory protection of the researcher's local law that cannot be derogated from by agreement.
10.3 Advanced Informatics may amend this policy at any time. The version published at https://advancedinformatics.co.uk/security/ at the time a researcher conducts research is the version that applies to that research.
| Standard | How this policy aligns |
|---|---|
| ISO/IEC 29147:2018 (Vulnerability disclosure) | Sections 2-5, 7-9 (receiving, handling, and disclosing reports). |
| ISO/IEC 30111:2019 (Vulnerability handling processes) | Sections 6, 8 (triage and remediation lifecycle). |
| RFC 9116 (security.txt) | Section 5 (reporting channel) - referenced from https://advancedinformatics.co.uk/.well-known/security.txt. |
| NCSC Vulnerability Disclosure Toolkit (UK), version 2 (current) | Whole document - safe harbour, scope, communication, timelines. |
| NIS Cooperation Group, Coordinated Vulnerability Disclosure: Good Practice Guide | Sections 4, 8 (coordinated disclosure approach). |
| IASME Cyber Assurance | Theme 6 (Operational management). The policy supports IASME questions on monitoring and managing security weaknesses. |
| Cyber Essentials Plus | Whole document - supports the patch-management and security-update controls by providing an additional channel through which previously unknown vulnerabilities can be raised. |