Home › Security

Security & Responsible Disclosure

Saints & Masters takes the security of our systems and our clients' data seriously. We welcome responsible security research and are committed to working with the security community to protect our systems.

Responsible Disclosure Policy

We encourage security researchers to responsibly disclose vulnerabilities they discover in our systems. In return, we commit to working with you in good faith to understand and address valid security concerns.

If you comply with this policy and report a vulnerability to us in good faith, we will not pursue legal action against you for your security research.

We ask that you:

  • Avoid accessing, modifying, or deleting data that does not belong to you
  • Do not disrupt or degrade our services or those of our clients
  • Do not use vulnerabilities to access production data
  • Report findings promptly and allow reasonable time for remediation before public disclosure
  • Provide sufficient detail to reproduce and verify the issue

Bug Bounty Scope

In Scope

  • saintsandmasters.com and all subdomains
  • Saints & Masters web applications and APIs
  • Authentication and authorisation systems
  • Data exposure and injection vulnerabilities
  • Server-side request forgery (SSRF)
  • Cross-site scripting (XSS) and CSRF
  • Privilege escalation and access control flaws

Out of Scope

  • Third-party services and infrastructure not owned by S&M
  • Social engineering and phishing attacks against staff
  • Physical security testing
  • Denial-of-service (DoS / DDoS) attacks
  • Automated scanning without prior coordination
  • Vulnerabilities in software we do not maintain
  • Issues already reported by another researcher

Note: We do not currently offer monetary rewards for vulnerability reports. Researchers who make a significant contribution may be acknowledged publicly (with their consent) upon resolution.

Disclosure Process

01

Report

Email your finding to security@saintsandmasters.com with full details — steps to reproduce, impact assessment, and any supporting evidence.

02

Acknowledgement

We will acknowledge receipt of your report within 2 business days and assign an internal tracking reference.

03

Investigation

Our security team will investigate and validate the finding. We aim to provide an initial assessment within 10 business days.

04

Remediation

Confirmed vulnerabilities will be prioritised and remediated. We will keep you updated throughout the process.

05

Disclosure

We support coordinated disclosure. We will work with you to agree a disclosure timeline — typically 90 days from initial report.

Report a Vulnerability

To report a security vulnerability, please email our security team directly. Include as much detail as possible — reproduction steps, impact, and supporting evidence.

Security Team
security@saintsandmasters.com

For general enquiries, visit our contact page. For privacy-related requests, email privacy@saintsandmasters.com.