Update : 13th November 2024 - We have now paused this scheme. Therefore, please do not send through any submissions.
While we undertake regular external audits of our tools and services with leading information security companies, we also acknowledge the benefit that independent external security researchers can provide.
No system is ever perfect, and therefore, Animal Friends believes that working with skilled security researchers around the world is crucial to identify and fix any weaknesses.
If you believe you have found a security issue in our tools or services, we encourage you to responsibly disclose this to us via our Bug Bounty program. We will work with you to assess and resolve reported issues promptly. All reported bugs will be assessed by our security team to determine if they qualify for a reward. Animal Friends will consider the impact to both the company and our customers and will calculate any reward accordingly.
All submissions should clearly demonstrate a viable attack against an Animal Friends system, staff member or customer.
Please note the exclusions in the Out of Scope section below.
Our bug bounty program is limited to our customer facing web applications. These are:
- Our corporate website - https://www.animalfriends.co.uk
- Our customer portal - https://hub.animalfriends.co.uk
- Our vet portal - https://pawtal.animalfriends.co.uk
- Our sales platform - https://quote.animalfriends.co.uk
Do not attempt social engineering or phishing attacks against our customers or employees under any circumstances.
Due to concern regarding availability, do not attempt denial of service attacks, spam or similar activity.
The following items are out of scope or excluded from the scheme:
- Non-exploitable vulnerabilities
- All third-party components and services which are used on the items named within scope
- Denial of Service attacks, including Application Denial of Service by locking of user accounts
- Clickjacking, without additional details demonstrating a specific exploit
- TLS configuration weaknesses (e.g. “weak” ciphersuite support, TLS1.0, TLS1.1 support, sweet32 etc.)
- Deviations from “best practice” for example, missing security headers (CSP, x-frame-options, x-prevent-xss etc.), additional HTTP verbs (OPTIONS, TRACE etc.)
- Basic/Simple rate-limiting issues without a direct security impact
- Raw output from commonly available automated scanners or online tools without any additional analysis or practical proof of concept
- Self-XSS and issues exploitable only through Self-XSS
- Cookie flags (including HTTPonly and Secure) for non-sensitive data
- Session handling and policies around brute force, rate limiting, or account lockout
- Session management during email/password changes
Should a successful submission of a vulnerability via our Bug Bounty scheme be deemed worthy of a reward, this will be a cash reward paid via PayPal or bank transfer.
We will pay on a scale of £50 to £400 for vulnerabilities identified and confirmed. We have an option to raise the reward if the vulnerability discovered was critical. Payment will be based on the quality of the submission, the ability to replicate the reported issue, and that it has not been identified and remunerated already.
Please inform us responsibly via security@animalfriends.co.uk upon discovery of a potential security issue and we will make every effort to work with you to quickly resolve the issue. Notifications sent to any other email address may not be addressed in swift manner.