Security

How to report

Email [email protected] with enough detail for us to reproduce the issue: the affected URL or system, the steps you took, and what you observed. A proof-of-concept or screenshot helps. If you need to share something sensitive, ask us for an encrypted channel and we will set one up.

Our machine-readable contact details are published at /.well-known/security.txt, following the RFC 9116 standard.

What we commit to

• We acknowledge your report within one business day
• We give you an honest assessment and a realistic timeline for a fix
• We keep you updated as we work, and tell you when it is resolved
• We are happy to credit you publicly once the issue is fixed — or to keep you anonymous, whichever you prefer
• We will not take legal action against you for good-faith research conducted under this policy

Testing in good faith

To stay within this policy, please:

• Act in good faith to avoid privacy violations, data loss, and service disruption
• Only interact with accounts you own or have explicit permission to test
• Stop as soon as you have demonstrated a vulnerability — do not exfiltrate, alter, or destroy data
• Give us reasonable time to fix an issue before disclosing it publicly
• Never use social engineering, physical attacks, or denial-of-service testing against us, our clients, or our providers

What’s in scope

This policy covers goliathus.co.uk, its subdomains, and systems we operate directly for clients. Third-party services we rely on (our hosting, database, payment, and email providers) have their own disclosure programmes — please report issues in their platforms to them, and tell us so we can follow up on your behalf.

We do not currently run a paid bug-bounty programme. Recognition is offered with our genuine thanks.

Get in touch

Security reports: [email protected]. For anything else, [email protected].