Please
- Report issues to us directly via security@pib-insurance.com
- Do not exploit the vulnerability or access data
- Avoid actions that could disrupt services (e.g. DDoS, brute-force)
- Give the PIB Group reasonable time to investigate and fix the issue before public disclosure.
What we offer
- We will acknowledge your report within 3 working days and provide a triage decision within 5 business days
- We will keep you informed throughout the remediation process
- We may offer a goodwill reward or public thanks, depending on the severity and impact
- Provide credit on request (subject to consent)
What we will not respond to
- Service disruption tests: DoS/volumetric attacks; brute‑force.
- Social engineering or physical security: phishing, tailgating, badge cloning.
- Automated or noise reports: tool output with no actionable proof‑of‑concept or reproduction steps; spam or mass‑mailed reports.
- Best‑practice only with negligible risk:
- Missing security headers without demonstrable exploit
- Clickjacking on non‑sensitive, non-state‑changing pages.
- Version/banner disclosure without a proven exploit path.
- Credential/leak reports not involving our systems: third‑party breaches, paste dumps, or public lists with no verified linkage to Group assets.
- Reports related to email authentication mechanisms (SPF, DKIM, DMARC).
- Policy/by‑design items already accepted as risk: password complexity suggestions, or legacy endpoints supplemented with compensating controls.
- Physical theft/loss reports.
- Extortion or payment‑conditioned disclosures: threats, deadlines, or demands for payment prior to triage.
- Privacy violations or unlawful activity: any testing that accesses, modifies, or exfiltrates real personal data; any activity breaching UK law.
Thank you for helping keep our platform, customers and users safe.