Vulnerability Disclosure Policy

1. Scope

This policy applies to vulnerabilities found in:

• The Hilead web application at hilead.co.
• The Hilead API and any associated subdomains operated by Hilead.
• Hilead’s official mobile and desktop applications, where applicable.

The following are out of scope:

• Third-party services we use (please report to the relevant vendor): Lemon Squeezy, Hetzner, Resend, etc.
• Social engineering attacks against Hilead employees, contractors, or customers.
• Physical attacks against Hilead infrastructure or offices.
• Denial of Service (DoS / DDoS) attacks.
• Brute force attacks against authentication endpoints.
• Issues found through automated scanners with no demonstrated impact.
• Vulnerabilities requiring root or physical access to a victim’s device.
• Issues in third-party libraries unless we are using a vulnerable version with demonstrated impact.

2. How to report

If you believe you have found a security vulnerability, please email us at:

hello@hilead.co

with the subject line: “Security Vulnerability Report”

Please include:

• A clear description of the vulnerability.
• Steps to reproduce the issue, including any required preconditions.
• The impact you believe the vulnerability has.
• Your name and contact details (so we can credit you, if you wish).
• Any proof-of-concept code, screenshots, or videos that help illustrate the issue.

If you wish to encrypt your report, please contact us first and we will provide a public key.

3. What we ask

To allow us to address vulnerabilities responsibly, we ask that you:

• Give us reasonable time to investigate and remediate before publicly disclosing the issue (typically 90 days, but we will work with you on timelines).
• Do not exploit the vulnerability beyond what is necessary to demonstrate it.
• Do not access, modify, or delete data that does not belong to you.
• Do not perform actions that could harm the Service or its users, including testing in production at scale.
• Do not use social engineering, phishing, or physical attacks.
• Comply with applicable laws at all times.

4. What you can expect

When you report a vulnerability in good faith and in line with this policy, we commit to:

• Acknowledge receipt of your report within 5 business days.
• Provide an initial assessment within 15 business days.
• Keep you informed of our progress as we investigate and remediate.
• Credit you publicly for the discovery, if you wish.
• Not pursue legal action against you for good-faith research conducted in line with this policy.

We do not currently operate a paid bug bounty programme, but we may offer recognition or, at our discretion, swag or modest rewards for high-impact reports.

5. Safe harbour

Hilead considers security research conducted in line with this policy to be:

• Authorised under the Computer Misuse Act 1990 (UK) and equivalent computer crime laws.
• Exempt from the restrictions in our Terms of Service that would otherwise prohibit such activity.
• A lawful and welcome contribution to the security of our Service.

If your security research violates this policy unintentionally, we will work with you to clarify the issue and bring you back into scope. We will not pursue legal action against good-faith researchers.

6. Hall of fame

We may, with your permission, publicly acknowledge security researchers who have responsibly disclosed vulnerabilities. Please let us know in your report whether you would like to be credited and how (real name, handle, link).

7. Reporting non-security issues

For non-security bugs, please use our standard support channel at hello@hilead.co.

8. Contact

For all security-related communications:

• Email: hello@hilead.co
• Subject line: “Security Vulnerability Report”

Hilead Ltd
71-75 Shelton Street, Covent Garden
London WC2H 9JQ, United Kingdom