Vulnerability Disclosure Policy
Version 2.0 · Last updated: 3 May 2026
BuiltByGo Ltd welcomes reports from the security research community and the general public about potential security vulnerabilities in our systems. We are committed to investigating and addressing all legitimate reports promptly, transparently, and in good faith.
Scope
This policy applies to builtbygo.com and subdomains, contact.builtbygo.com, status.builtbygo.com (when published), and any other internet-facing service operated by BuiltByGo. Client-operated systems, third-party providers, and social engineering are out of scope.
Reporting a vulnerability
Report to security@builtbygo.com. Include the affected system, a description, steps to reproduce, proof-of-concept evidence, and your contact details (optional — anonymous accepted). PGP encrypted communication available on request.
Response timeline
| Stage | Timeline |
|---|---|
| Acknowledge receipt | Within 5 working days |
| Initial triage and severity assessment | Within 10 working days |
| Remediation timeline communicated | Within 15 working days |
| Public disclosure coordination | Coordinated with you in good faith |
Safe harbour
We consider security research conducted in good faith and in accordance with this policy to be authorised conduct. We will not pursue legal action against researchers who share details with us before public disclosure, avoid exploiting vulnerabilities beyond what is necessary to demonstrate the issue, and do not disrupt or degrade our services. This safe harbour does not extend to conduct illegal under the Computer Misuse Act 1990.
Penetration testing
We welcome external research at any time. Annual third-party penetration testing is targeted to commence by Q4 2026 alongside Cyber Essentials Plus accreditation. Per-engagement testing of client-specific deployments is available as a separately scoped engagement.
Recognition
We do not currently operate a paid bug bounty programme. We offer public acknowledgement for legitimate disclosures where the reporter wishes to be credited.
Document history
| Version | Date | Changes |
|---|---|---|
| 1.0 | May 2026 | Initial publication |
| 2.0 | 3 May 2026 | Reporting contact moved to dedicated security@builtbygo.com; added explicit response timeline table; expanded safe harbour terms; added scope clarifications; added coordinated disclosure framework with ISO 29147 reference; added Q4 2026 penetration testing target; clarified no paid bounty but public acknowledgement available |
Contact
- Security reports: security@builtbygo.com
- General security enquiries: security@builtbygo.com
- Privacy and data protection: privacy@builtbygo.com