Introduction

Hoxton Workplace Partners Limited ("Hoxton") takes the security of its systems seriously and values the contribution of security researchers and the wider community in identifying and responsibly reporting security vulnerabilities. This policy sets out how to report a vulnerability to us and what you can expect in return.

If you have questions about this policy, please contact us.

Scope

This policy applies to security vulnerabilities identified in:

·       The Hoxton website at wearehoxton.com

·       Any web-based services or applications operated by Hoxton

It does not apply to third-party services or platforms used by Hoxton. If you identify a vulnerability in a third-party service, please report it directly to that provider.

How to report

If you believe you have identified a security vulnerability affecting Hoxton's systems, please report it to us as soon as possible by contacting our team . Where possible, please include:

·       A clear description of the vulnerability and the potential impact

·       The steps required to reproduce it

·       Any supporting evidence such as screenshots or proof-of-concept code

·       Your contact details, so we can follow up with you

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and address it.

What to expect

We will aim to:

·       Acknowledge receipt of your report within ten working days

·       Assess the report and, where appropriate, take steps to address the vulnerability

·       Keep you informed of progress where we are able to do so

·       Notify you when the vulnerability has been addressed

We are a small team and some vulnerabilities may take longer to investigate or may depend on third-party providers to resolve. We ask that you give us a reasonable period to investigate and address the issue before any public disclosure. We consider ninety days to be a reasonable starting point, though we are happy to discuss this with you if circumstances require a different approach.

Our expectations

We ask that security researchers:

·       Act in good faith and with the intent to improve security

·       Avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability

·       Do not conduct denial of service attacks, social engineering, or physical security testing

·       Do not disclose the vulnerability to others before we have had the opportunity to address it

·       Comply with all applicable laws

Hoxton will not take legal action, including under the Computer Misuse Act 1990, against researchers who identify and report vulnerabilities in good faith and in accordance with this policy.

Recognition

We appreciate the contribution of researchers who help us improve our security. Where a researcher has acted in good faith and in accordance with this policy, we are happy to acknowledge their contribution if they wish, subject to their consent.

We do not currently operate a bug bounty programme.

Changes

We may update this policy from time to time. The current version will always be available on our website.