Security

Security & Responsible Disclosure

We take the security of swiftRMS, and the safety documentation our customers trust us with, seriously. If you believe you have found a vulnerability, we want to hear from you and we will work with you to put it right.

Report a vulnerability

Email security@swiftrms.co.uk with as much detail as you can. To help us reproduce and fix the issue quickly, please include:

  • A clear description of the issue and its potential impact
  • Step-by-step instructions to reproduce it
  • The affected URL, endpoint, or page
  • Any proof-of-concept code, screenshots, or request and response logs

Our commitment to you

  • We will acknowledge your report within 3 business days.
  • We will investigate, keep you updated on progress, and tell you when the issue is resolved.
  • We will not pursue or support legal action against you for good-faith research that follows this policy.
  • With your permission, we are happy to publicly credit you once the issue is fixed.

swiftRMS does not currently operate a paid bug bounty. We are grateful for every responsible disclosure and recognise the researchers who help us improve.

In scope

  • swiftrms.co.uk and its subdomains
  • app.swiftrms.co.uk (the swiftRMS application)
  • Public APIs served from the domains above

Testing guidelines

  • Make a good-faith effort to avoid privacy violations, data loss, and service disruption.
  • Only test against accounts you own or have explicit permission to use. Never access, modify, or delete other users' data.
  • Do not run automated scanning that degrades the service for other users.
  • Give us a reasonable time to investigate and fix an issue before any public disclosure. We aim for 90 days.
  • Keep the details of any vulnerability confidential until we confirm it has been resolved.

Out of scope

The following are generally not eligible. We may still review them, but they are unlikely to be treated as actionable vulnerabilities:

  • Findings from automated scanners without a working proof of concept or demonstrated impact
  • Missing security headers, SPF, DKIM, or DMARC records without a demonstrated exploit
  • Rate-limiting, brute-force, or account-enumeration reports without demonstrated impact
  • Clickjacking on pages with no sensitive action, or self-XSS
  • Social engineering, phishing, or physical attacks against our staff, customers, or premises
  • Denial-of-service (DoS / DDoS) and volumetric testing
  • Vulnerabilities in third-party services we use (please report those to the relevant provider)
  • Best-practice or informational findings with no security impact

Safe harbour

If you make a good-faith effort to comply with this policy during your research, we will consider your testing authorised. We will work with you to understand and resolve the issue promptly, and we will not pursue or support legal action related to your research.

A machine-readable version of this policy is published at /.well-known/security.txt following RFC 9116.