Security & Bug Reporting

Our Commitment to Security

At EverFold Ltd, we take security seriously. We understand that our customers trust us with their precious photos and personal information. We are committed to maintaining robust security practices and working with security researchers to identify and fix vulnerabilities.

Responsible Disclosure

We encourage responsible reporting of security vulnerabilities. If you believe you've discovered a security issue in our website, applications, or infrastructure, please let us know immediately.

How to Report a Vulnerability

Please send security reports to our dedicated security email:

Please include the following information in your report:

• Description: Clear description of the vulnerability
• Impact: What could an attacker accomplish?
• Steps to Reproduce: Detailed instructions on how to trigger the issue
• Environment: Browser, OS, or tools used
• Screenshots/Proof of Concept: If applicable
• Suggested Fix: If you have recommendations

What We Promise

When you report a vulnerability to us in good faith, we promise to:

• Respond promptly: Acknowledge receipt within 48 hours
• Investigate thoroughly: Examine all legitimate reports
• Not take legal action: Against researchers who follow this policy
• Keep you informed: Update you on our progress fixing the issue
• Give credit: With your permission, publicly acknowledge your contribution

Scope

The following are in scope for security testing:

• everfold.co.uk and all subdomains
• Our mobile applications (if applicable)
• API endpoints (api.everfold.co.uk)
• Customer data handling and protection mechanisms
• Payment processing flows

Out of Scope:

• Third-party services not operated by EverFold
• Social engineering attacks on our staff
• Physical security testing of our premises
• Denial of Service (DoS) attacks
• Brute force attacks on user accounts (rate limiting is in place)
• Vulnerabilities in outdated browser versions

Safe Harbour Guidelines

When conducting security research, please:

• Only test on accounts you own or have explicit permission to test
• Do not access, modify, or delete other users' data
• Do not perform actions that could harm our service or users
• Stop testing if you access non-public data or systems
• Do not share vulnerability details with others until we've fixed it
• Allow us reasonable time to fix issues before public disclosure

Security Measures

We employ the following security measures:

• Encryption: SSL/TLS encryption for all data in transit (HTTPS)
• Payment Security: PCI DSS compliant payment processing via Stripe
• Data Protection: GDPR compliant data handling practices
• Access Controls: Role-based access to systems and data
• Regular Audits: Security code reviews and vulnerability scans
• Secure Infrastructure: Cloud hosting with industry-leading providers
• Incident Response: Documented procedures for security incidents

Bug Bounty

While we do not currently offer a formal bug bounty program with guaranteed rewards, we sincerely appreciate security researchers who help us improve our security posture. We will consider appropriate recognition for significant findings, which may include:

• Public acknowledgment on this page (with your permission)
• Swag or merchandise
• Goodwill gestures for exceptional findings

Security.txt

We maintain a security.txt file at /.well-known/security.txt following the proposed standard for security policies.

Hall of Fame

We would like to thank the following security researchers who have responsibly disclosed vulnerabilities to us:

Contact

For general security questions or to report an issue:

Security Email: hello@everfold.co.uk

General Email: hello@everfold.co.uk