Bromcom Vulnerability Disclosure Policy 

Bromcom is committed to ensuring the security and integrity of our systems and data. We welcome reports of potential security vulnerabilities and appreciate the efforts of those who help us improve our security. 

 

How to Report a Vulnerability 

If you believe you have identified a security vulnerability in Bromcom software or systems, please report it to us by emailing: 

disclosure@bromcom.com 

 

Please include: 

  • A clear description of the issue 
  • Sufficient detail for us to understand and reproduce the issue including relevant endpoints / URLs etc 
  • Any supporting evidence (e.g. screenshots, logs, or proof-of-concept code) 
  • The potential impact of the issue 

 

Our Commitment

If you act in good faith and in accordance with this policy, Bromcom will: 

  • Acknowledge receipt of your report promptly 
  • Investigate and validate the issue 
  • Work to remediate confirmed vulnerabilities in a timely manner 
  • Keep you informed of progress where appropriate

 

Guidelines for Researchers

When conducting security research on Bromcom systems, we ask that you: 

  • Act in good faith and avoid privacy violations, data destruction, or service disruption 
  • Only access data necessary to demonstrate the vulnerability 
  • Avoid accessing, modifying, or exfiltrating personal or sensitive data, particularly student data, unless strictly necessary to demonstrate the issue 
  • Do not exploit the vulnerability beyond proof-of-concept 
  • Do not disclose the vulnerability publicly without our prior written consent 
  • Give us reasonable time to investigate and address the issue before any disclosure

 

Researchers Under 18

We recognise that some security researchers may be under 18. If you are under 18, we ask that: 

  • You involve a parent, guardian, or responsible adult in your disclosure 
  • Any communication regarding rewards or formal agreements will require involvement of a parent or guardian

 

Out of Scope

The following are generally considered out of scope: 

  • Issues requiring physical access to a user’s device 
  • Social engineering or phishing attacks 
  • Denial of service (DoS/DDoS) attacks 
  • Reports based solely on automated scanning without demonstrated impact
     

Safe Harbour

Bromcom will not pursue legal action against individuals who: 

  • Make a good faith effort to comply with this policy 
  • Do not exploit vulnerabilities for personal gain or malicious purposes 
  • Report vulnerabilities responsibly and in line with this policy

 

Rewards

Bromcom does not currently operate a formal bug bounty programme. However, we may, at our discretion, offer a reward or recognition for responsible disclosures.

 

Recognition

With your consent, we may acknowledge your contribution publicly. 

 

We appreciate the efforts of the security community in helping us maintain a safe and secure environment for our users.