top of page

Responsible Disclosure Policy

HADES

At Hades Security Ltd, the integrity of our physical and digital perimeters is paramount. We believe in the power of ethical intelligence and proactive vulnerability management. This policy outlines our commitment to working with the global security community to identify, verify, and resolve security concerns in a manner that protects our clients and our operational sanctity.

1. Introduction & Commitment to Security

At Hades Security Consultancy Ltd ("Hades", "we", "us", "our"), the security of our systems, client data, and partner integrations is our highest priority. Despite our rigorous internal security protocols, we recognize that vulnerabilities can occasionally slip through.

We welcome and encourage security researchers, ethical hackers, and IT professionals to responsibly discover and report security vulnerabilities in our digital assets. This policy outlines our coordinated vulnerability disclosure process and the commitments we make to researchers who act in good faith.

2. Safe Harbor Statement (Legal Protection)

We want to support and protect the ethical hacking community. If you conduct vulnerability research and disclose a security flaw to us in accordance with this policy, we make the following commitments to you:

​

  • No Legal Action: We will not initiate or support any legal action, civil claims, or criminal complaints against you (including, but not limited to, claims under the Computer Misuse Act 1990 or the Data Protection Act 2018).

  • Safe Harbor: We will view your activities as authorized, ethical, and helpful.

  • Zero Escalation: If a third party (such as our hosting provider) initiates legal action against you for activities conducted under this policy, we will advocate on your behalf to clarify that your actions were authorized.

3. Scope of the Policy

3.1 In-Scope Assets:

  • Our main website:www.hadessecurityltd.com/

  • Directly connected web applications and secure client delivery portals hosted under our primary domain.

​

3.2 Strictly Out-of-Scope:

  • Any physical testing, physical intrusion attempts, or social engineering targeting Hades offices, personnel, or contractors.

  • Any third-party websites, software-as-a-service (SaaS) integrations, or infrastructure providers utilized by Hades.

  • The networks, websites, or physical infrastructure belonging to our clients. (Attempting to breach a client’s network under this policy is strictly unauthorized and a direct violation of UK criminal law).

4. Prohibited Testing Methods

To ensure the safety of our operations and protect our data integrity, the following activities are strictly prohibited during your research:

  • Denial of Service (DoS/DDoS): Any testing that deliberately degrades, interrupts, or crashes our services.

  • Data Exploitation & Exfiltration: Accessing, downloading, deleting, or altering data beyond the absolute minimum required to prove the existence of the vulnerability (e.g., retrieving a database version number is acceptable; downloading client records is a violation).

  • Social Engineering: Phishing, vishing, or impersonating Hades staff or clients.

  • Physical Security Breaches: Attempting physical entry to our registered offices or storage facilities.

  • Spamming: Using automated vulnerability scanners in a manner that floods contact forms or API endpoints.

5. How to Report a Vulnerability

If you have discovered a vulnerability, please report it to our security team immediately.

  • Reporting Email: operations@hades-security.com

  • Required Information: To help us validate and fix the issue quickly, your report should contain:

    1. A clear description of the vulnerability.

    2. The exact URL(s), parameters, or endpoints affected.

    3. A step-by-step Proof of Concept (PoC) or script to reproduce the issue.

    4. An assessment of the potential business or security impact.

6. Our Commitment to You

When you submit a report to us, we will:

  1. Acknowledge Receipt: Respond to your initial report within 48 business hours.

  2. Validate the Issue: Investigate, reproduce, and confirm the vulnerability within 5 business days.

  3. Remediation: Keep you informed of our progress as our team works to implement a fix.

  4. No Extortion / Public Disclosure: We request that you do not disclose the vulnerability to the public or any third party until we have successfully resolved the issue (Coordinated Disclosure). Once patched, you are welcome to publish your findings, provided no sensitive client or proprietary corporate data is exposed.

  5. Recognition: With your permission, we are happy to publicly acknowledge your contribution to our security on our website or social media channels once the patch is live.

(Please note: We do not currently operate a paid "Bug Bounty" program. However, we deeply value and respect the contribution of ethical researchers).

7. Modifications

We reserve the right to modify or update this policy at any time to align with legislative changes and operational updates.

bottom of page