HomeResponsible disclosure
HomeResponsible disclosure

Responsible disclosure

We take our responsibility seriously. Do you?

At Touch Local Loyalty, we consider the security of our systems to be extremely important. Despite our efforts to ensure the security of our systems, vulnerabilities may still occur. If you find a vulnerability in one of our systems, please let us know. This will enable us to take action as quickly as possible. We would like to work with you to better protect our customers and our systems.

We ask that you:

  • Email your findings to privacy@touchincentive.com;
  • Not to exploit the vulnerability by, for example, downloading more data than is necessary to demonstrate the vulnerability or by viewing, deleting or modifying third-party data;
  • Not to share the vulnerability with others until it has been resolved, and to delete all confidential data obtained immediately after the vulnerability has been fixed;
  • Not to use physical security attacks, social engineering, distributed denial of service, spam or third-party applications;
  • To provide sufficient information to reproduce the vulnerability so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more may be required for more complex vulnerabilities.

What we promise:

  • We will respond to your report within 5 days. We will indicate whether or not it is a vulnerability that is unknown to us;
  • If it is an unknown vulnerability, we will assess the risk and decide whether to implement the solution you have proposed. If so, we will keep you informed of the progress made in resolving the issue;
  • As a token of our appreciation for your help, we offer a reward of £25 for each report of a vulnerability that is unknown to us and for which we decide to implement the solution you have proposed.
  • If you have complied with the above conditions, we will not take any legal action against you as a result of your report.
  • We will treat your report confidentially and will not share your personal data with third parties without your consent, unless this is necessary to comply with a legal obligation. It is possible to report under a pseudonym. In communications about the reported vulnerability, we will only mention your name as the discoverer if you wish us to do so.
Terms and conditions Privacy policy Responsible disclosure