Email security@britwise.school. Please do not file public GitHub issues, Tweet, or post on Reddit. We respond within 72 hours and triage within 5 business days.

We will not pursue legal action against security researchers who act in good faith: do not exfiltrate non-test data, do not run DoS or brute-force attacks, do not pivot, give us 90 days to fix before public disclosure. We will credit you (with permission) in our hall of fame.

SQL injection, XSS, CSRF, authentication bypass, authorisation flaws, IDOR, RCE, SSRF, path traversal, cryptographic weakness, exposure of credentials, dependency CVEs in our stack.

Best-practice complaints (missing security header, weak SSL config without exploit), self-XSS, social engineering of staff, physical attacks, denial of service, rate-limit bypass without impact, third-party services (OpenAI, Stripe, Hetzner — report to them).

No paid bounty at present. We send swag + a written reference for severity-3+ findings. A monetary program will launch when revenue supports it (target Q2 2027).

TLS 1.3 · AES-256 at rest · MFA mandatory for all staff · RBAC + audit log (immutable, 7-yr retention) · Quarterly dependency scan + annual third-party pentest · Cyber Essentials certification target Q4 2026 · SOC 2 Type 1 target 2027.