Security policy

Last updated 30 May 2026.

Responsible disclosure

If you believe you have found a security issue on tenderstandard.co.uk, please email hello@tenderstandard.co.uk with enough detail for us to reproduce it.

Useful reports include the affected URL, the steps taken, the expected and actual result, browser or tool details, and screenshots where they help explain the issue. Please do not include other people's personal data, payment data, secrets or paid download files unless it is strictly necessary to explain the risk.

Scope

This policy covers the public website, account dashboard, checkout hand-off, delivery request flow, first-party analytics endpoints and admin surfaces operated under tenderstandard.co.uk.

Testing rules

Please avoid testing that disrupts the service or harms other users. Do not run denial-of-service tests, credential stuffing, spam, phishing, social engineering, bulk scraping, destructive scans or attempts to access another buyer's paid files.

If you can prove an issue with a small, non-destructive test, stop there and send the report. We will investigate from our side.

Response

We aim to acknowledge genuine security reports within five working days. Fix priority depends on severity, exploitability and customer impact. We may ask for more detail if the report cannot be reproduced.

No bug bounty

TenderStandard UK does not currently run a paid bug bounty programme. Sending a report does not create a contract, reward entitlement or permission to go beyond the testing rules above.