Report Security Issues

Last updated: 26 July 2025

Online Sofa World is a trading name of Online Sofa World Ltd (“we”, “us”, “our”).

We are committed to keeping our customers, partners, and systems safe. If you believe you’ve found a security vulnerability on onlinesofaworld.co.uk, we’d like to hear from you.

We take every legitimate report seriously, will not take legal action against researchers who follow this policy in good faith, and will work quickly to investigate and remediate confirmed issues. Where appropriate, we may also offer a good-faith bounty reward (see Bounty Rewards below).

1. Safe Harbor (Legal Protections)

If you comply with this policy:

• We will not pursue legal action or refer your activity to law enforcement.
• We will treat your testing as authorised and exempt from the UK Computer Misuse Act to the fullest extent permitted by law.
• You must act in good faith, avoid privacy violations or data destruction, and not exploit any vulnerability beyond proving its existence.

2. Scope

In scope (primary):

• https://onlinesofaworld.co.uk and all first-party subdomains operated by us
• First-party systems, APIs, and services used to process orders, accounts, and payments

Optional (in scope when explicitly approved):

• Staging or test environments we explicitly provide
• Mobile apps owned and published by Online Sofa World Ltd

Out of scope examples (no bounties or legal coverage):

• Third-party services (payment processors, CDNs, live chat providers, etc.)
• DoS/DDoS or brute-force rate-limit testing
• SPF/DMARC/BIMI recommendations without demonstrable exploitability
• Clickjacking on non-sensitive pages
• Physical attacks, social engineering, or phishing
• Self-XSS or open redirects with no meaningful impact
• Automated scanner output without verified proof-of-concept

If you’re unsure whether something is in scope, please contact us first.

3. Rules of Engagement

To ensure a cooperative process, please:

• Allow at least 90 days for us to triage and fix before public disclosure.
• Do not access, modify, or delete data that doesn’t belong to you.
• Avoid any activity that could degrade service or impact users.
• Do not exfiltrate data; redacted examples are sufficient as proof.
• Use your own test accounts and avoid accessing other users’ accounts.
• Never attempt financial fraud or order manipulation.
• Always comply with applicable laws.

4. How to Report

Please email reports to contact@onlinesofaworld.co.uk with:

• A clear title and estimated severity
• The affected domain/endpoint
• Detailed reproduction steps or proof of concept (curl/Burp requests, screenshots, etc.)
• Impact and likelihood (what could an attacker achieve?)
• Any relevant logs or indicators of compromise
• Your contact and payment details (if you seek a bounty)

We will:

• Acknowledge your report within 3 business days
• Provide status updates at least every 14 days
• Notify you once the issue is fixed and, if applicable, discuss bounty rewards

5. Bounty Rewards (Good-Faith, Discretionary)

Rewards are discretionary and depend on severity, impact, and report quality.

We reward the first valid, reproducible report of a given issue.

Payment: via PayPal or UK bank transfer. You are responsible for any applicable taxes.

6. What Not to Report

Please avoid submitting:

• Missing headers (e.g., X-Frame-Options) without exploitability
• Version disclosure or banner info
• Rate-limiting or brute-force reports on non-sensitive endpoints
• Self-XSS, non-sensitive clickjacking, or open redirects without clear harm
• Vulnerabilities that require local network access without exploit potential

7. Publication & Disclosure

Do not disclose vulnerabilities publicly (blog, social media, etc.) until we confirm a fix and give permission.

We may publish a summary of your report and credit you, with your consent.

8. Contact

Security Team – Online Sofa World Ltd

📧 security@onlinesofaworld.co.uk · contact@onlinesofaworld.co.uk

📞 +44 7 453 41 41 90

📍 Unit B2, Express Business Park, Miller St, Birmingham B6 4NH, United Kingdom