+44 800 779 7322
Legal

Responsible Disclosure Policy

Rebasoft Limited

Registered Office: Albany House, 14 Shute End, Wokingham, Berkshire, RG40 1BJ
Company Number: 06914233
Website: www.rebasoft.net
Security Contact: security@rebasoft.net
General Contact: legal@rebasoft.net
Telephone: 0800 779 7322

Responsible Disclosure Policy

Version: 4.0
Effective Date: 26 March 2026
Last Reviewed: 26 March 2026
Next Review Date: March 2027

1. Introduction

Rebasoft Limited (“Rebasoft”, “we”, “us”, or “our”) is committed to maintaining the security, integrity, and availability of our systems, services, and customer data.

We recognise the value of the security research community and encourage the responsible disclosure of vulnerabilities.

This policy defines how vulnerabilities should be reported and how Rebasoft will respond.

Our approach aligns with recognised industry standards, including ISO 27001 and NIST vulnerability handling guidance.

2. Scope

This policy applies to vulnerabilities identified in:

  • Rebasoft public websites (e.g. www.rebasoft.net)

  • Customer-facing platforms and services

  • Public APIs and externally accessible services

  • Infrastructure directly controlled by Rebasoft

3. Out of Scope

The following are explicitly out of scope:

  • Third-party systems not controlled by Rebasoft

  • Social engineering, phishing, or physical attacks

  • Denial of Service (DoS/DDoS) testing

  • Spam or brute-force testing

  • Issues requiring unrealistic or highly improbable attack scenarios

  • Access to customer environments without explicit authorisation

4. Reporting a Vulnerability

Vulnerabilities should be reported to:

security@rebasoft.net

Reports should include:

  • Clear description of the issue

  • Steps to reproduce

  • Potential impact

  • Proof of concept (where appropriate)

  • Contact details

Reports should be accurate, complete, and submitted in good faith.

5. Rebasoft Commitment

Rebasoft will:

  • Acknowledge receipt within 3 business days

  • Triage and validate promptly

  • Provide status updates where appropriate

  • Remediate validated issues based on severity

  • Maintain confidentiality of reporters (on request)

6. Vulnerability Management Process

Rebasoft operates a structured lifecycle:

  1. Submission – Report received

  2. Triage – Initial validation

  3. Classification – Severity assessment

  4. Remediation – Fix development and deployment

  5. Verification – Confirmation of resolution

  6. Disclosure – Coordinated communication

This ensures consistent, auditable handling of vulnerabilities

7. Severity Classification

Rebasoft uses CVSS (or equivalent) to classify vulnerabilities:

  • Critical – Immediate risk requiring urgent action

  • High – Significant risk requiring prioritised remediation

  • Medium – Moderate risk requiring planned remediation

  • Low – Limited risk or impact

Severity determines remediation priority and response timelines.

8. Coordinated Disclosure

Rebasoft follows a coordinated disclosure model.

Researchers are requested to:

  • Avoid public disclosure until remediation is complete

  • Coordinate timelines with Rebasoft

Rebasoft aims to:

  • Resolve issues within 90 days, where reasonably practicable

Timelines may be adjusted based on complexity and risk.

9. Safe Harbour

This policy is intended to provide safe harbour under applicable UK law.

Rebasoft will not pursue legal action against individuals who:

  • Act in good faith

  • Follow this policy

  • Avoid harm, disruption, or data exposure

  • Do not access, exfiltrate, or modify data beyond what is necessary

  • Do not exploit vulnerabilities for personal gain

Safe harbour applies only where all conditions are met and activities remain lawful.

10. Responsible Testing Requirements

Researchers must:

  • Test only systems within scope

  • Avoid disruption to services

  • Not access or modify data belonging to others

  • Avoid excessive automated testing

  • Immediately cease testing if unintended access occurs

11. Rewards and Recognition

Rebasoft does not currently operate a formal bug bounty programme.

However, we may:

  • Acknowledge researchers (with consent)

  • Provide recognition for responsible disclosure

12. Prohibited Activities

The following are strictly prohibited:

  • Exploiting vulnerabilities

  • Accessing or exfiltrating data

  • Introducing malware

  • Attempting to disrupt services

  • Targeting customers or third parties

13. Legal Position

This policy:

  • Does not override applicable laws

  • Does not authorise unlawful activity

Rebasoft reserves the right to take action where activities:

  • Fall outside this policy

  • Breach applicable law

14. Updates

This policy may be updated periodically.

The latest version will always be published on the Rebasoft website.

15. Contact

All vulnerability reports and related enquiries:

security@rebasoft.net