Security Policy
Last updated: December 2024
Our Commitment to Security
At PrayForAPrisoner, we take the security of our systems and personal data seriously. We are committed to protecting the privacy and security of everyone who uses our services, particularly given the sensitive nature of our work with those connected to the criminal justice system.
Responsible Disclosure
If you believe you have found a security vulnerability in our website or systems, we encourage you to report it to us as quickly as possible. We welcome reports from security researchers, developers, and members of the public.
How to Report
- Email: security@prayforaprisoner.org.uk
- Encrypt your report: Use our PGP public key for sensitive information
- Machine-readable policy: security.txt
What to Include
Please provide as much information as possible:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggestions for remediation
- Your contact information (optional, but helpful for follow-up)
Our Promise to You
When you report a vulnerability to us in good faith, we commit to:
- Respond within 48 hours to acknowledge receipt of your report
- Keep you informed of our progress in addressing the issue
- Not take legal action against researchers who follow responsible disclosure
- Credit you publicly on our acknowledgments page (if you wish)
- Work with you to understand and resolve the issue
Scope
This policy applies to:
- The PrayForAPrisoner website (prayforaprisoner.org.uk)
- Our APIs and backend services
- Related subdomains
Out of Scope
The following are generally not considered vulnerabilities:
- Social engineering attacks
- Physical security issues
- Denial of service attacks
- Issues in third-party services we use
- Outdated browsers or plugins
Safe Harbour
We consider security research conducted in accordance with this policy to be:
- Authorised with respect to any applicable anti-hacking laws
- Authorised with respect to any relevant anti-circumvention laws
- Exempt from restrictions in our terms of service that would interfere with conducting security research
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good-faith violations of this policy.
Data Protection
During your research, please:
- Avoid accessing or modifying other people's data
- Do not perform actions that could harm people or our services
- Stop testing and report immediately if you encounter personal data
- Delete any data you may have accessed during testing
Recognition
We believe in recognising the valuable work of security researchers. If you report a valid vulnerability and wish to be acknowledged, we will add your name to our Security Acknowledgments page once the issue is resolved.
Contact
For any questions about this policy, please contact us at security@prayforaprisoner.org.uk.