logo
Login REGISTER
Call us: ‪+44 203637 7139
e-mail: info@adhdplus.co.uk
ADHD Plus > Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Purpose & Scope

This policy outlines how ADHD-Plus handles the reporting of security vulnerabilities. Before submitting a report, please review this document in full and ensure your actions remain compliant with it. We greatly value security researchers and individuals who responsibly disclose vulnerabilities, though we do not offer monetary rewards for such reports.

How to Report

If you believe you’ve identified a security weakness in any ADHD-Plus system:

  1. Submit your report to the contact address listed in our security.txt file.
  2. Provide:
    1. The affected website, IP address, or page.
    2. A short description of the vulnerability type (e.g., “XSS vulnerability”).
    3. Clear, safe, and non-destructive reproduction steps or proof of concept.

These details help us quickly assess and prevent duplication or malicious exploitation, such as sub-domain takeovers.

Our Response

  1. Acknowledgement: Within 5 working days of receiving your report.
  2. Initial Review: We aim to triage within 10 working days.
  3. Remediation Priority: Determined by severity, impact, and exploit complexity.

Some issues may take longer to resolve, but you will be updated on progress. Please avoid requesting status updates more than once every 14 days to allow our team to focus on remediation.
Once the vulnerability is fixed, we may invite you to verify the solution. If you wish to make your report public, please coordinate disclosure timing with us.

Rules of Engagement

You must NOT:

  1. Break laws or regulations.
  2. Access or download unnecessary, excessive, or sensitive data.
  3. Modify, corrupt, or delete data.
  4. Use destructive or high-intensity scanning tools.
  5. Attempt denial-of-service attacks.
  6. Disrupt ADHD-Plus operations.
  7. Submit non-exploitable or “best-practice” gap reports (e.g., missing security headers, TLS1.0 support).
  8. Share vulnerability details outside of the agreed communication channel.
  9. Attempt phishing, social engineering, or physical intrusion against ADHD-Plus staff or infrastructure.
  10. Request payment for disclosure.

You must:

  1. Comply with data protection regulations, including GDPR.
  2. Not share, redistribute, or inadequately secure any data accessed.
  3. Delete all data obtained during testing as soon as it is no longer needed, and no later than 1 month after remediation, unless otherwise required by law.

GDPR Compliance

Any handling of personal data in the course of vulnerability testing must comply with the UK GDPR and Data Protection Act 2018. Personal data should only be accessed if strictly necessary for confirming the vulnerability and must be securely deleted immediately after use. You must not retain, disclose, or use any such data for purposes beyond reporting the vulnerability.

Legal Notice

This policy supports recognised best practices in responsible vulnerability disclosure. It does not grant immunity from legal action if your conduct breaches applicable laws or causes ADHD-Plus—or its partners—to violate legal obligations.