Report Security Issues

Last updated: February 2026

Little Saffrons takes the security of our website and customer data seriously.

If you believe you have discovered a security vulnerability affecting our website or services, we encourage you to report it responsibly so we can investigate and resolve the issue promptly.

Responsible Disclosure Principles

If you follow the guidelines below, Little Saffrons will not initiate legal action against you for responsible security research.

We ask that you:

  1. Provide us with reasonable time to investigate and fix the issue before publicly disclosing it.

  2. Avoid accessing, modifying, or deleting data that does not belong to you.

  3. Do not access private customer accounts without explicit permission.

  4. Make a good-faith effort to avoid privacy violations, service disruption, or data destruction.

  5. Do not exploit the vulnerability for personal gain.

  6. Comply with all applicable laws and regulations.

How to Report a Vulnerability

Please report security vulnerabilities by emailing:

📧 contact@littlesaffrons.uk
Subject line: Security Vulnerability Report

Include:

  • A clear description of the issue

  • Steps to reproduce the vulnerability

  • Screenshots or proof-of-concept (if applicable)

  • Your contact information

Please do not contact individual employees directly.

Our Response

  • We review all legitimate security reports.

  • We may request additional information if needed.

  • We aim to respond within 5–10 business days.

  • We reserve the right to determine the severity and impact of any reported issue.

Bounty / Rewards (Optional Program)

Little Saffrons may, at its sole discretion, offer monetary rewards for valid security reports depending on severity and impact.

Severity Levels & Maximum Rewards

Critical Severity – up to £200
Examples:

  • Remote Code Execution

  • Privilege Escalation

  • SQL Injection exposing sensitive data

  • Full account takeover

High Severity – up to £100
Examples:

  • Authentication bypass

  • Stored XSS

  • Disclosure of sensitive internal information

  • Insecure session handling

Medium Severity – up to £50
Examples:

  • Business logic flaws

  • Insecure direct object references

Low Severity – No guaranteed reward
Examples:

  • Open redirect

  • Minor information disclosure

⚠️ Reward amounts are discretionary and based on impact, exploitability, and report quality.

Duplicate reports are rewarded only to the first valid submission.

Out of Scope

The following are generally not eligible:

  • Denial of Service (DoS/DDoS) attacks

  • Automated vulnerability scanner results without proof of impact

  • Social engineering attacks

  • Spam or phishing reports

Legal Notice

This policy does not grant permission to test systems beyond our website or infrastructure owned and operated by Little Saffrons.

Contact Information

Little Saffrons
38 Shambles
York YO1 7LX
United Kingdom

📞 +44 1904 541922
📧 contact@littlesaffrons.uk