Security / Vulnerability Disclosure Policy

Effective date: 31 Jan 2026


This policy explains how to report security vulnerabilities affecting MannMechanics.com (the “Site”) and any services we operate in connection with the Site.

We take security reports seriously and aim to address legitimate issues in a responsible and timely manner.

1) Scope

This policy applies to security vulnerabilities in:

  • MannMechanics.com and its pages, forms, and user-facing functionality

  • Any Site-connected infrastructure we operate (including hosting, forms, and related integrations)

This policy does not apply to:

  • Third-party services we do not control (report those to the provider)

  • Vulnerabilities requiring physical access to devices or networks not operated by us

  • Social engineering of staff/contractors, phishing attempts, or attempts to obtain credentials

  • Denial-of-service (DoS/DDoS) testing or traffic flooding

2) Safe harbour for good-faith research

We support good-faith security research that complies with this policy.

If you:

  • make a good-faith effort to avoid privacy violations, service disruption, and data destruction, and

  • report findings promptly, and

  • do not exploit a vulnerability beyond what is necessary to prove its existence,

then we will not pursue legal action against you for the act of reporting under this policy.

This safe-harbour statement does not apply to actions that are malicious, reckless, or unlawful.

3) How to report a vulnerability

Email: [email protected]
Subject line: Vulnerability Report – [short description]

Include, where possible:

  • A clear description of the issue and affected URL(s)

  • Steps to reproduce (proof-of-concept)

  • The potential impact (what an attacker could do)

  • Screenshots/logs (redact sensitive data)

  • Your contact details for follow-up (optional but helpful)

If the issue involves sensitive information, minimise exposure and avoid sending personal data. If you need to share sensitive details, state this in your email and we will provide a secure method for sharing if available.

4) What we ask you NOT to do

To protect users and service continuity, please do not:

  • Access, modify, or delete data that is not your own

  • Exfiltrate data, even if accessible

  • Attempt to brute force credentials or perform automated scanning at scale

  • Disrupt service availability (including DoS/DDoS or load testing)

  • Publicly disclose the issue before we have had a reasonable opportunity to remediate

  • Use vulnerabilities to extort, demand payment, or threaten disclosure

5) Our response process

We aim to:

  • Acknowledge receipt within 5 business days

  • Assess severity and scope

  • Remediate as appropriate based on risk and operational constraints

  • Notify relevant users if a material risk to user data is identified (where applicable)

Timeframes can vary depending on complexity and third-party dependencies.

6) Disclosure and coordination

We support coordinated disclosure.

Please allow a reasonable remediation window before any public disclosure. If you would like to publish, include your proposed timeline in your report so we can coordinate appropriately.

7) Recognition

We may, at our discretion, acknowledge valid reports (e.g., by name) where the reporter requests recognition. We do not operate a paid bug bounty programme unless explicitly stated.

8) Contact

Security reports: [email protected]
General contact: [email protected]
Location: London, United Kingdom