# Security Policy # Security Policy (Vulnerability Disclosure) Responsible disclosure guidelines for Kilowatts.uk systems and services. Kilowatts.uk welcomes responsible security research and values the contribution of security researchers in helping us maintain the safety and integrity of our systems. If you believe you have discovered a vulnerability affecting a publicly accessible Kilowatts.uk system or service, please report it to . ## 1. Purpose This Vulnerability Disclosure Policy defines how security vulnerabilities in Kilowatts.uk systems and services should be reported and handled in a responsible, coordinated, and secure manner. ## 2. Scope This policy applies to publicly accessible services, applications, and infrastructure operated by Kilowatts.uk under the **kilowatts.uk** domain and its subdomains. Third-party services, external platforms, and infrastructure not directly controlled by Kilowatts.uk are considered out of scope unless explicitly stated otherwise. ## 3. Responsible Disclosure Guidelines - Act in good faith and avoid any actions that could impact privacy, availability, or data integrity. - Do not access, modify, or delete data that does not belong to you. - Do not perform social engineering, phishing, or physical security testing. - Do not attempt denial-of-service attacks or service disruption. - Do not publicly disclose vulnerabilities before they have been resolved or coordinated. - Limit testing strictly to what is required to demonstrate the issue. ## 4. Safe Harbour Kilowatts.uk supports good-faith security research conducted in accordance with this policy. We will not pursue legal action against individuals who: - Follow this policy in good faith - Avoid privacy violations and unnecessary data exposure - Do not disrupt services or degrade system availability ## 5. Reporting a Vulnerability Please include the following information in your report: - A clear description of the vulnerability - Affected URL, system, or component - Steps required to reproduce the issue - Any proof-of-concept or supporting evidence - Your contact details for follow-up communication Reports should be submitted to: ## 6. Handling and Response We aim to acknowledge valid vulnerability reports within a reasonable timeframe. All submissions are reviewed and investigated based on severity and operational impact. Resolution timelines may vary depending on complexity, risk level, and system dependencies. ## 7. Coordinated Disclosure We request that vulnerabilities are not publicly disclosed until a fix has been implemented or agreed upon through coordinated disclosure with Kilowatts.uk. ## 8. Exclusions The following activities are generally considered out of scope: - Automated scanner reports without proof of exploitability - Denial-of-service or load testing - Social engineering attacks against staff or contractors - Physical security testing ## 9. Legal Notice This policy does not grant permission to conduct illegal activity. All testing must comply with applicable laws and regulations in your jurisdiction. ## 10. Encryption If required, sensitive disclosures may be encrypted using our published PGP key: [/.well-known/pgp-key.txt](/.well-known/pgp-key.txt) Security contact: