Vulnerability Disclosure Policy

1. Our commitment

Standard Tonnage Limited takes the security of our customers, our platform, and our data seriously. We welcome reports from security researchers, customers, and members of the public who identify potential vulnerabilities in our services. This policy sets out how to report a vulnerability, what we commit to in return, and the safe harbour we extend to good-faith researchers.

2. How to report

Send a report by email to:

security@standardtonnage.com

A machine-readable security contact is also published at /.well-known/security.txt in accordance with RFC 9116.

Where possible, please include:

• A clear description of the issue and its potential impact.
• Step-by-step instructions to reproduce the issue.
• Any supporting proof-of-concept code, screenshots, or network captures.
• The affected URL, endpoint, or system.
• Your preferred contact details and, if you wish, a name for public credit.

3. Scope

The following assets are in scope for this policy:

• standardtonnage.com and all subdomains.
• The Standard Tonnage web application at app.standardtonnage.com.
• Public APIs operated by Standard Tonnage.

The following are out of scope:

• Denial of service (DoS), distributed denial of service (DDoS), or volumetric attacks.
• Social engineering of staff, customers, or contractors.
• Physical attacks on any facility.
• Testing that degrades availability for other users.
• Findings from automated tools without demonstrated exploitability (e.g. missing headers on assets not in scope, generic information disclosure with no security impact).
• Third-party services we rely on (please report directly to the relevant vendor — a non-exhaustive list is published at /sub-processors).
• Self-XSS, clickjacking on pages without sensitive actions, missing best-practice headers without impact, CSRF on unauthenticated forms.

4. Safe harbour

If you make a good-faith effort to comply with this policy during your research, we will:

• Not pursue or support any legal action against you related to your research.
• Work with you to understand and resolve the issue promptly.
• Recognise your contribution, publicly or privately, according to your preference, once the issue is resolved.

Good-faith research means, among other things, that you:

• Only interact with accounts you own or have explicit permission to test.
• Do not access, modify, or delete data belonging to others.
• Stop testing and notify us as soon as you have confirmed a vulnerability.
• Do not exfiltrate more data than is necessary to demonstrate the issue.
• Do not disclose the vulnerability publicly before we have had a reasonable opportunity to address it (see Disclosure timeline below).
• Comply with all applicable laws, including the Computer Misuse Act 1990.

5. Our response commitment

• Acknowledgement: within 3 business days of receipt.
• Triage and severity assessment: within 10 business days.
• Status updates: at least every 14 calendar days until resolution.
• Resolution targets: Critical within 7 days, High within 30 days, Medium within 90 days, Low at the next scheduled release.

6. Coordinated disclosure

We follow a 90-day coordinated disclosure window from the date a vulnerability is triaged. If we and the reporter agree, this window may be extended (for example, to align with customer communications) or shortened (for example, where a public exploit already exists). We will always try to credit the reporter in our release notes or security advisory, with their consent.

7. What we do not offer

We do not currently run a paid bug bounty programme. We may offer recognition, written thanks, or modest non-monetary tokens at our discretion. We will evaluate a paid programme as the business grows.

8. Changes to this policy

We will publish changes to this policy here. Material changes will be highlighted at the top of the page for at least 30 days.