Skip to main content
BundleCreator.co
Security

Vulnerability Disclosure Policy

Thank you for helping to keep BundleCreator secure. Our users include litigants in person, domestic abuse survivors, SEND families, and others who depend on the justice system but often cannot afford legal representation. Your work protects them.

Our commitment to you — safe harbour

If you make a good-faith effort to follow this policy during your research, we will:

  • Treat your activity as authorised under the Computer Misuse Act 1990 and not pursue or support any civil or criminal action against you.
  • Work with you to understand and resolve the issue quickly.
  • Acknowledge receipt of your report within 72 hours and triage it within five business days.
  • Credit you publicly on our Defenders of Access to Justice page, with your consent.

This safe harbour does not extend to actions taken in bad faith, data theft, extortion, or testing outside the scope below.

What we can offer in return

BundleCreator is a small, bootstrapped UK team serving users who often cannot afford legal help. We do not pay financial rewards for security research. What we can offer is genuine and lasting recognition:

  • Public recognition

    Named credit on our Defenders of Access to Justice page, with optional link to your profile.

  • Signed letter of thanks

    A dated certificate of contribution from the founder, by post or PDF — useful for CV and pro-bono records.

  • CVE credit

    Where applicable, we will support assignment of a CVE identifier with you named as reporter.

  • Free Platinum account (12 months)

    For High or Critical findings — useful to you or anyone you know facing a legal matter.

  • LinkedIn recommendation

    Personal, permanent, from the founder — for High or Critical findings.

  • Defender of the Year

    An annual named recognition for the year's most impactful contribution, featured on our blog.

In scope

You are welcome to research the following production systems:

  • https://bundlecreator.co and its subdomains
  • Our public API routes under /api/*
  • Authentication, session management, and access-control behaviour
  • Bundle sharing, document upload, and export flows on your own account

Out of scope

The following are out of scope and will not be accepted as disclosures:

  • Staging and development environments
  • Third-party services we rely on — please report to them directly: Clerk (authentication), Stripe (payments), Supabase (database), Google Cloud Platform, Cloudflare
  • Denial-of-service, volumetric, or brute-force load tests
  • Social engineering of staff, customers, or contractors; physical intrusion
  • Missing security headers without a demonstrated exploit chain
  • Self-XSS, clickjacking on pages without sensitive state changes, CSV-injection-in-export without impact
  • Rate-limit findings without a demonstrated security impact
  • Outdated browsers and libraries without a working exploit
  • Reports generated solely by automated scanners without manual validation

Rules for protecting our users

Our users upload bundles containing sensitive legal material — domestic abuse statements, child arrangements, financial disclosures, medical records. You must:

  • Only test on accounts you have created yourself, using synthetic data
  • Never access, download, copy, store, or share another user's bundle data
  • Stop immediately and report to us the moment you observe any access to another user's data
  • Delete all data obtained during testing once the finding is triaged
  • Respect UK GDPR, the Data Protection Act 2018, and legal professional privilege at all times

How to report a vulnerability

Send your report to security@bundlecreator.co. Please include:

  • A clear description of the issue and its potential impact
  • Affected URL, endpoint, or component
  • Step-by-step reproduction — a proof-of-concept, screenshots, or short screen capture is very helpful
  • Your name or handle and, if you wish, a link to credit
  • Whether you consent to being named on the Defenders of Access to Justice page

We prefer reports in English. If your preferred language is different, please send in your language and we will translate.

Our response times

StageTarget
Initial acknowledgementWithin 72 hours
Triage and severity assignmentWithin five business days
Fix target — CriticalWithin 7 days
Fix target — HighWithin 30 days
Fix target — MediumWithin 90 days
Fix target — LowBest effort

Severity is assessed using CVSS 3.1. We will keep you updated at each stage and will agree a coordinated disclosure timeline with you.

Coordinated disclosure

We aim to publish a fix and credit the reporter within 90 days of first report, or sooner once the fix is live and users are safe. If you would like to publish your own write-up, we will happily coordinate timing and review a draft for accuracy.

This policy is informed by ISO/IEC 29147:2018 (vulnerability disclosure), ISO/IEC 30111:2019 (vulnerability handling), the NCSC Vulnerability Disclosure Toolkit, and RFC 9116 (security.txt).

See our public credits:

Defenders of Access to Justice