Safety & Security Issues
Security & Vulnerability Disclosure Policy
Last updated: 01 January 2025
At LondonTreeHouses, we take security and privacy seriously. If you believe you have discovered a security vulnerability affecting our website or services, we encourage you to report it responsibly. This policy explains how to report issues, what we ask from researchers, and how we protect our customers— including users of our Track Order and customer account features.
Safe Harbor: If you follow this policy in good faith, we will not initiate legal action or enforcement investigation against you for your report. This does not apply to any malicious activity, data theft, extortion, or attempts to disrupt our services.
1) Fundamentals (Responsible Disclosure Rules)
When reporting a security issue, we ask that you:
- Give us reasonable time to review and repair the issue before making any public disclosure.
- Do not access or modify any private account or customer data without the account owner’s explicit consent.
- Make an honest, good-faith effort to avoid privacy violations and service disruptions (no deletion, no interruption, no degradation).
- Do not exploit any issue you discover for any reason (including demonstrating additional risk or attempting further compromise).
- Comply with all applicable laws and regulations.
2) Scope
This policy applies to vulnerabilities found on: londontreehouses.com and related services that we operate, including pages such as checkout, customer accounts, and Track Order.
Out of Scope (Examples)
- Physical attacks or social engineering of customers or staff
- Denial-of-service (DoS / DDoS) or traffic flooding
- Spam, phishing, or malware distribution
- Issues in third-party platforms not under our control (unless you can show a direct impact on our service)
3) How to Report a Vulnerability
To submit a report, email our security contact with clear details and reproducible steps. Please do not contact individual employees or attempt to publicly post the issue before we respond.
Email: contact@londontreehouses.com
Subject line suggestion: “Security Vulnerability Report – londontreehouses.com”
What to Include in Your Report
- A short summary of the issue and the affected URL(s)
- Steps to reproduce (clear and minimal)
- Expected vs actual behaviour
- Potential impact (what could happen if abused)
- Screenshots/logs (if helpful) and your contact details
- If you accidentally accessed sensitive data, disclose it immediately and stop further access
4) Track Order & Customer Privacy Commitment
Our Track Order feature is designed to help customers check delivery progress securely. We do not allow any attempt to:
- Guess or enumerate order numbers
- Access another customer’s order or personal information
- Bypass authentication or security checks
- Extract data from checkout, account pages, or support systems
Any testing must be limited to your own accounts and your own data, with explicit permission where required.
5) Bug Bounty Program (Optional)
We recognise and may reward security researchers who help keep people safe by responsibly reporting vulnerabilities. Any monetary bounty is entirely at the discretion of LondonTreeHouses and depends on risk, impact, exploitability, and report quality.
To Potentially Qualify
- Adhere to the Fundamentals above
- Report a genuine security/privacy risk in our services or infrastructure
- Submit a clear report with reproducible steps
- Disclose any accidental privacy impact immediately
- Allow time for investigation and remediation
- We may choose to publish a summary of resolved reports (with sensitive details removed)
6) Rewards & Severity Levels
Rewards are based on the impact of the vulnerability. The amounts below are maximums per severity level and may be adjusted over time. We aim to be fair and transparent, but all rewards remain at our discretion.
| Severity | Max Reward | Examples (non-exhaustive) |
|---|---|---|
| Critical | £200 | Privilege escalation to admin, remote code execution, financial theft, full account takeover, SQL injection that leaks sensitive targeted data. |
| High | £100 | Authentication bypass (lateral), disclosure of important internal information, stored XSS impacting another user, insecure handling of authentication cookies, local file inclusion. |
| Medium | £50 | Issues affecting multiple users with little/no user interaction, common logic/design flaws, insecure direct object references (IDOR). |
| Low | Discretionary | Issues affecting single users or requiring significant prerequisites, open redirects, low-sensitivity information leaks. |
7) Our Response Process
- We acknowledge and review valid reports as quickly as possible.
- Due to volume, we prioritise based on risk and impact.
- We may ask follow-up questions to reproduce and verify the issue.
- We will work to remediate confirmed issues and may notify you once resolved.
8) Contact Us
For security vulnerability reports or questions about this policy, contact us:
Website
Telephone
Address
146 Portobello Rd
London W11 2DZ
United Kingdom