Email [email protected] with enough detail for us to reproduce the issue. A useful report usually includes:

• The type of issue and the affected URL, endpoint, or component.
• Step-by-step instructions to reproduce it, including any requests or payloads.
• The impact you believe it has, and any proof of concept you can share safely.

The same contact details are published in machine-readable form at /.well-known/security.txt, per RFC 9116. We do not run a paid bug-bounty programme, but we are glad to credit researchers who report responsibly (see section 5).

This policy covers the assets we operate:

• The postcodelabs.com website and its subdomains.
• The Agent Readiness Check service and the reports it produces.

The following are out of scope — please do not test against them:

• Third-party services we rely on, such as our hosting, email, or analytics providers. Report those to the relevant vendor.
• Denial-of-service, volumetric, or other load-generating attacks.
• Social engineering, phishing, or physical attacks against our people, contractors, or premises.
• Reports of missing best-practice hardening — such as absent security headers — with no demonstrated, exploitable impact.
• Output from automated scanners that you have not validated by hand.

We consider security research and disclosure carried out in line with this policy to be authorised, lawful, and welcome. If you make a good-faith effort to follow this policy during your research, we will:

• Not pursue or support legal action against you for accidental, good-faith violations of this policy.
• Not report you to law enforcement for good-faith research conducted within the scope above.
• Work with you to understand and resolve the issue promptly, and recognise your contribution if you would like us to.

This safe harbour applies only so far as we are legally able to grant it. It does not bind third parties, and it does not authorise activity that is unlawful regardless of this policy. If you are unsure whether something is in scope or permitted, ask us at [email protected] before you proceed.

To stay within this safe harbour, please:

• Give us a reasonable chance to fix an issue before disclosing it publicly, and coordinate timing with us.
• Avoid privacy violations, data destruction, and any interruption or degradation of our services.
• Only interact with accounts you own or have explicit permission to test, and access only the minimum data needed to demonstrate the issue.
• Delete any data you retrieve as soon as it is no longer needed to report the issue, and never store, share, or exploit it.

When you report an issue in good faith, you can expect us to:

• Acknowledge your report within five business days.
• Keep you updated as we triage, confirm, and work on a fix.
• Let you know when the issue is resolved.
• Credit you for the discovery once it is fixed, if you would like to be named.