Report Security Issues

Last updated: 01,01,2025

If you’ve found a security vulnerability on electricalrutland.com, we encourage you to message us immediately. We’ll review all legitimate vulnerability reports and will do our utmost to quickly resolve the matter.

Before you report, please review this document, including our fundamentals, bounty program, reward guidelines, and what should not be reported.

Fundamentals

If you follow the principles below when reporting a security issue to Rutland Electricals, we will not initiate a lawsuit or enforcement investigation against you in response to your report.

We ask that:

1. You give us reasonable time to review and repair the issue you report before making public any information about the report or sharing such information with others.

2. You don’t interact with private accounts (including modifying or accessing data from an account) unless the account owner has given explicit consent.

3. You make a good faith effort to avoid privacy violations and disruptions to others, including destruction of data or interruption/degradation of our services.

4. You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempting to compromise sensitive data or searching for additional issues.)

5. You do not violate any applicable laws or regulations.

Bounty Program

We recognize and reward security researchers who help us keep our platform safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Rutland Electricals’ discretion, based on risk, impact, and other factors.

To potentially qualify for a bounty, you must meet the following requirements:

1. Adhere to our fundamentals (see above).

2. Report a valid security bug: identify a vulnerability in our services or infrastructure that creates a security or privacy risk.

3. Submit your report via our security contact email (see below). Please do not contact employees directly.

4. If you inadvertently cause a privacy violation or disruption (e.g., accessing account data, service configurations, or other confidential information), disclose this in your report.

5. We investigate and respond to all valid reports. Due to volume, we prioritize evaluations based on risk and other factors.

6. We reserve the right to publish reports once resolved.

Rewards

Our rewards are based on the impact of a vulnerability.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, it may not be eligible for a bounty.

• When duplicates occur, the first reproducible report will be rewarded.

• Multiple vulnerabilities caused by one underlying issue will be awarded a single bounty.

• Reward amounts are determined at our discretion, considering severity, exploitability, and report quality.

Reward Levels

• Critical Severity – up to £200

  • Privilege escalation from unprivileged to admin

  • Remote Code Execution (RCE)

  • Financial theft or unauthorized full account access

  • SQL Injection leaking targeted data

• High Severity – up to £100

  • Lateral authentication bypass

  • Disclosure of sensitive corporate data

  • Insecure handling of authentication cookies

  • Local file inclusion (LFI)

• Medium Severity – up to £50

  • Common logic flaws and business process defects

  • Insecure Direct Object References (IDOR)

  • Flaws affecting multiple users with minimal interaction

• Low Severity – discretionary

  • Issues affecting single users with prerequisites

  • Open redirect vulnerabilities

  • Reflective XSS

  • Minor information leaks

Contact – Security Reports

If you discover a security vulnerability, please contact us immediately:

WE'RE HERE TO HELP

• Address: 38 Rutland St, Derby DE23 8PQ, United Kingdom

• Telephone: +44 13 3273 0193

• Email: contact@electricalrutland.com