HEXASEC
Request a pilot
HexaSec/Legal/Responsible disclosure
Responsible disclosure

How to report a security issue to HexaSec.

DocumentHXS-LEGAL-RD·Effective21 May 2026·StatusLive

01Summary

HexaSec welcomes responsible reports of security issues affecting our website and other HexaSec-owned systems. We will work with good-faith researchers to understand, fix and acknowledge issues, within the scope and rules set out below.

02How to report

Please email info@hexasec.co.uk with the subject line prefix [Security]. Encrypted reports may be requested by replying to your initial email; we will share a current contact and key on request.

03What to include in a report

To help us triage quickly, please include:

  • A clear description of the issue and its potential impact.
  • The affected URL, endpoint or system.
  • Steps to reproduce, with the minimum necessary detail.
  • Any proof-of-concept payloads, scripts or screenshots — non-destructive only.
  • Your preferred name or handle for any acknowledgement.

04What is in scope

This policy covers:

  • The public HexaSec website at hexasec.co.uk and its subdomains.
  • HexaSec-published artefacts and downloads shared directly with you.
  • Other systems explicitly authorised in writing by HexaSec for security testing.

05What is out of scope

Out of scope, and not covered by this policy:

  • Third-party platforms, providers, customers, partners or their systems.
  • Production environments belonging to HexaSec customers.
  • Any system not owned by HexaSec or not explicitly authorised in writing.
  • Issues that require a victim to install unrelated software or fall for separate social engineering.
  • Reports based solely on missing security headers, version banners or theoretical risks without demonstrated impact.

06What you must not do

To remain within this policy, you must not:

  • Test against any system not listed as in scope.
  • Conduct destructive testing, including data modification, deletion or denial of service.
  • Exfiltrate, retain or share data beyond the minimum needed to demonstrate the issue.
  • Carry out social engineering, phishing or physical attacks against HexaSec, our staff, partners or customers.
  • Send spam, automated mass-scanning floods, or otherwise degrade availability for other users.
  • Publicly disclose an issue before we have had a reasonable opportunity to respond and remediate.

07Good-faith research

HexaSec will not pursue legal action against researchers who, acting in good faith, comply with this policy and applicable law. Activities outside the scope or rules above are not covered. This page does not create any contractual right, waiver or guarantee, and does not bind any third party.

08What happens after you report

  • Acknowledgement — we aim to acknowledge new reports within two working days.
  • Triage — we will assess severity, scope and applicability.
  • Updates — we will keep you informed at reasonable intervals while we investigate.
  • Remediation — for valid in-scope issues we will work to remediate them on a timeline appropriate to severity.
  • Acknowledgement — with your permission we may publicly credit your contribution.