Security policy

Vulnerability disclosure policy

triageforge.co.uk · RFC 9116 security.txt · coordinated disclosure

This policy describes how to report a security vulnerability affecting the triageforge.co.uk domain, content, or any software TriageForge maintains, and what you can expect from us in return.

Where to send reports. Email security@triageforge.co.uk. Please include a clear description of the issue, the affected URL or component, and, where possible, a minimal reproducer.

What we cover

Vulnerabilities in the triageforge.co.uk website, infrastructure, or hosted content
Vulnerabilities in open-source software maintained by TriageForge — including the NTAG 424 DNA SDK for macOS
Email and DNS configuration issues affecting the triageforge.co.uk domain

For vulnerabilities in other parties’ software discovered using TriageForge’s methodology, please follow the affected vendor’s own coordinated-disclosure process. Our published methodology and case studies are available on the main page.

What we ask of you

Provide a clear, factual description and, where possible, a minimal reproducer or proof of concept
Do not access, modify, or destroy data belonging to other parties
Do not perform testing that degrades service for other users (rate limits, denial-of-service)
Allow us a reasonable period to investigate and remediate before public disclosure (we suggest 90 days, in line with the Google Project Zero standard, but will negotiate if circumstances require a different timeline)

What you can expect from us

Acknowledgement of your report within 14 calendar days
An initial substantive response, including our assessment, within 30 calendar days
Regular status updates while we work on remediation
Public credit for the report at our coordinated-disclosure point, where you consent to be named
Honest communication if we disagree with your assessment, including our reasoning

What we do not offer

We do not operate a paid bug bounty programme. Reports are accepted on the basis of coordinated disclosure and public credit only. No monetary compensation is offered or implied.

Safe harbour

We will not pursue legal action against good-faith security research conducted in accordance with this policy. Specifically, we consider research conducted in accordance with this policy to be authorised under the Computer Misuse Act 1990 for the purpose of identifying security issues affecting triageforge.co.uk. Research extending to third-party systems or data is outside the scope of this safe harbour.

Reference

This policy is referenced from our RFC 9116 security.txt. The policy may be updated from time to time; please consult the current version when filing a report.

Last updated: 22 May 2026 · Version: 1.0