Responsible Disclosure Policy
Last updated: May 2026
Our commitment
At Navanto we take the security of our customers’ data and our application seriously. We welcome reports from security researchers and members of the public who help us find and fix vulnerabilities. This policy explains how to report a vulnerability to us and what you can expect in return.
If you follow this policy when researching and reporting a vulnerability, we will not pursue or support legal action against you in respect of your report.
Scope
This policy applies to:
- The Navanto web application at
*.navanto.co.uk - The Navanto API at
api.navanto.co.uk - The Navanto marketing website at
www.navanto.co.uk - The official Navanto mobile applications (when available)
This policy does not cover:
- Third-party services and infrastructure that we use (such as Amazon Web Services, our authentication provider, our email provider, and our AI service providers) — please report issues with those services directly to the relevant provider.
- Vulnerabilities in customer-controlled configurations or content that has been uploaded to the Service.
- Phishing, social engineering, or physical attacks against Navanto personnel or offices.
- Denial-of-service or volumetric attacks.
- Findings from automated scanners that have not been validated as exploitable.
If you are not sure whether your finding is in scope, contact us before testing.
Rules of engagement
When researching a vulnerability, please:
- Use only your own accounts, or accounts that you have explicit permission to test, and do not attempt to access, modify or delete other users’ data.
- Stop as soon as you have established the existence of the vulnerability and contact us — do not exfiltrate, retain or share any data you encounter beyond what is necessary to demonstrate the issue.
- Do not perform any action that could disrupt the Service for our users (no denial-of-service, brute-force, spam, or aggressive scanning).
- Do not use vulnerabilities to compromise other systems or to pivot beyond the immediate finding.
- Comply with applicable law, including the UK Computer Misuse Act 1990 and data protection law.
- Do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate it (typically 90 days from the date of your report, though we will agree a different timeline with you where appropriate).
If you stay within the rules above, we treat your testing as authorised under the Computer Misuse Act 1990 and we will not take legal action against you for the testing or for the report.
How to report a vulnerability
Please email support@navanto.co.uk with:
- a clear description of the vulnerability and the impact;
- the URL or component affected;
- steps to reproduce, including any proof-of-concept code, screenshots or videos;
- any account identifiers you used during testing;
- your contact details (if you wish to be credited).
Where possible, please encrypt sensitive details using our PGP key, available at https://www.navanto.co.uk/.well-known/pgp-key.asc.
If you would prefer to remain anonymous, that is fine — please still provide enough technical detail for us to reproduce the issue.
What you can expect from us
| Stage | Target timeframe |
|---|---|
| Acknowledgement of your report | Within 3 business days |
| Initial triage and severity assessment | Within 10 business days |
| Status update during remediation | At least every 14 days until resolved |
| Notification when the issue is resolved | Within 5 business days of fix being deployed |
| Credit (if you wish) | Published on our security acknowledgements page once the issue is resolved |
We will deal with you in good faith and will not share your identity with third parties without your consent, except where required by law.
Severity and prioritisation
We use the CVSS v3.1 framework to assess severity and prioritise remediation. As a guideline:
| Severity | Indicative target remediation |
|---|---|
| Critical (CVSS 9.0+) | 7 days |
| High (CVSS 7.0–8.9) | 30 days |
| Medium (CVSS 4.0–6.9) | 60 days |
| Low (CVSS 0.1–3.9) | 90 days, or in our regular release cycle |
Targets are indicative; actual timelines depend on complexity, dependencies and risk.
Out-of-scope findings
The following are typically not eligible for a response under this policy:
- Missing security headers without an associated exploitable vulnerability
- Best-practice violations without a demonstrated impact (e.g. cookie flags, weak TLS ciphers in non-sensitive contexts, SPF/DMARC issues without an active spoofing path)
- Self-XSS that requires the user to attack themselves
- Clickjacking on pages without sensitive actions
- Open redirect on logout
- Login or forgot-password page rate-limiting issues without a demonstrated brute-force impact
- Username enumeration on registration / password reset
- Email service configuration issues (SPF, DKIM, DMARC) absent active abuse
- Any finding that is reproducible only on a non-current browser
We may still acknowledge these findings as informational, but we will not treat them as in-scope vulnerabilities under this policy.
Bounties
We do not currently operate a paid bug bounty programme. We are happy to publicly thank researchers who report valid issues (with their consent) and to provide a written acknowledgement that can be referenced.
Changes to this policy
We may update this policy from time to time. The “last updated” date above will reflect any change.
Questions
If you have any questions about this policy, please email support@navanto.co.uk.