Last updated: 26 July 2025

Decor Nest is a trading name of DECORNEST LTD (“we”, “us”, “our”). We are committed to keeping our customers and systems safe. If you believe you’ve found a security vulnerability on onlinesofaworld.co.uk, we want to hear from you.

We’ll investigate all legitimate reports, won’t take legal action against researchers who follow this policy in good faith, and will work to remediate validated issues quickly. Where eligible, we may also offer a good-faith bounty reward (see Bounty Rewards below).

1) Safe Harbor (Legal Protections)

If you follow the rules in this policy:

  • We will not initiate legal action or a law-enforcement referral against you.
  • We will consider your research to be authorised, and your testing to be exempt from the Computer Misuse Act to the fullest extent permitted by law.
  • You must act in good faith, avoid privacy violations, avoid service disruption, and not exploit any vulnerability beyond what’s necessary to prove its existence.

2) Scope

In scope (primary):

  • https://onlinesofaworld.co.uk/ and all first-party subdomains we operate
  • First-party infrastructure and services used to process orders, accounts and payments

(Optional—in scope when explicitly provided):

  • Staging / test environments we explicitly provide for research
  • Mobile apps owned and published by DECORNEST LTD

Out of scope (examples—we won’t pay bounties for these):

  • Third-party services not operated by us (payment gateways, CDNs, live chat, etc.)
  • Denial of Service (DoS / DDoS) or brute-force rate-limit testing
  • SPF/DMARC/BIMI best-practice suggestions without demonstrable exploitability
  • Clickjacking on non-sensitive pages; missing non-exploitable security headers
  • Vulnerabilities requiring physical access to a user’s device
  • Self-XSS (requires victim to paste code)
  • Social engineering / phishing of employees or customers
  • Open redirects without meaningful impact
  • Automated scanner output that is low-quality or duplicative

If you’re unsure whether something is in scope, please email us first.

3) Rules of Engagement

  • Give us reasonable time (at least 90 days) to triage and fix before public disclosure.
  • Do not access, modify or delete data that doesn’t belong to you.
  • Do not perform actions that degrade service, cause data loss, or impact other users.
  • Do not exfiltrate data—a few redacted records or hashes are sufficient for proof.
  • Don’t pivot to other systems beyond the minimum necessary to show impact.
  • Use test accounts you own; never access other users’ accounts.
  • Don’t attempt financial fraud, order manipulation or theft.
  • Comply with applicable laws at all times.

4) How to Report

Send an email to contact@onlinesofaworld.co.uk.

  • Title & severity estimate
  • Affected domain/endpoint
  • Detailed reproduction steps / PoC (curl/Burp requests, screenshots or video)
  • Impact and likelihood (what can an attacker do?)
  • Any logs or indicators of compromise you observed
  • Your contact & payment details (if seeking a bounty)

We will:

  • Acknowledge your report within 3 business days
  • Provide a status update at least every 14 days
  • Notify you when it’s fixed and, if applicable, discuss bounty reward

5) Bounty Rewards (Good-Faith, Discretionary)

Rewards depend on impact, exploitability, report quality and novelty. We reward the first valid, reproducible report of a given issue. Multiple issues caused by the same root cause may be grouped as one bounty. Amounts below are maximums; final rewards are at our discretion.

SeverityExample ImpactMax Reward
CriticalRCE, full account takeover, vertical auth bypass, SQLi with targeted data leak£200
HighLateral auth bypass, stored XSS affecting other users, sensitive data exposure, insecure auth cookies£100
MediumSignificant business logic flaws, IDOR, meaningful CSRF£50
LowOpen redirect, reflected XSS with limited impact, low-risk info disclosureThanks / Hall of Fame

Payment method: usually PayPal or bank transfer. You are responsible for any taxes in your jurisdiction.

6) What Not to Report (Examples)

  • Missing security headers without a demonstrated exploit (e.g., X-Frame-Options)
  • Best-practice cookie flags on non-sensitive cookies
  • Version disclosure banners
  • Rate-limiting or brute-force findings on non-sensitive endpoints
  • Self-XSS, non-sensitive clickjacking, or open redirects without clear exploit path
  • Vulnerabilities that require on-path/MITM on the same local network without a clear payoff

7) Publication & Disclosure

Please do not publicly disclose the vulnerability (blog, tweet, repo, etc.) until we confirm the fix and give permission. We may publish a summary of your report (crediting you if you wish) once resolved.

8) Contact

Security Team – Decor Nest Ltd (DECORNEST LTD)

Email: security@onlinesofaworld.co.uk · contact@onlinesofaworld.co.uk

Phone: +44 7457 409318

Address: 23a Kenilworth Gardens, Hayes, UB4 0AY, United Kingdom.