Report Security Issues (Responsible Disclosure)

Last updated: 26 July 2025

Garden Egg Chair trading name of FURNITURE STAR LIMITED, (VAT Number: GB 291869452) is committed to keeping our customers and systems safe. If you believe you’ve found a security vulnerability on gardeneggchair.co.uk, we want to hear from you.

We’ll investigate all legitimate reports, won’t take legal action against researchers who follow this policy in good faith, and will work to remediate validated issues quickly. Where eligible, we may also offer a good-faith bounty reward (see “Bounty Rewards” below).

1) Safe Harbor (Legal Protections)

If you follow the rules in this policy:

  • We will not initiate legal action or a law-enforcement referral against you.
  • We will consider your research to be authorised, and your testing to be exempt from the Computer Misuse Act to the fullest extent permitted by law.
  • We ask that you act in good faith, avoid privacy violations, avoid service disruption, and do not exploit any vulnerability beyond what’s necessary to prove its existence.

2) Scope

In scope (primary):

  • https://gardeneggchair.co.uk/ and all first-party subdomains we operate
  • First-party infrastructure and services used to process orders, accounts, and payments

(Optional – add if/when relevant)

  • Staging / test environments explicitly provided to you for research
  • Mobile apps owned and published by FURNITURE STAR LIMITED

Out of scope (examples below; we’ll not pay bounties for these):

  • Third-party services not operated by us (payment gateways, CDNs, live chat, etc.)
  • Denial of Service (DoS / DDoS) or rate-limit brute force testing
  • SPF/DMARC/BIMI best-practice suggestions without demonstrable exploitability
  • Clickjacking on non-sensitive pages
  • Missing security headers that don’t lead to direct exploitation
  • Vulnerabilities that require physical access to a user’s device
  • Self-XSS (requires victim to paste code)
  • Social engineering / phishing of employees or customers
  • Open redirects without meaningful impact
  • Use of automated scanners producing low-quality / duplicate reports

If you’re unsure whether something is in scope, email us first.

3) Rules of Engagement

Please:

  1. Give us reasonable time (at least 90 days) to triage and fix before public disclosure.
  2. Do not access, modify, or delete data that doesn’t belong to you.
  3. Do not perform actions that degrade service, cause data loss, or impact other users.
  4. Do not exfiltrate data—a few redacted records or hashes are sufficient for proof.
  5. Don’t pivot to other systems or networks beyond the minimum necessary to show impact.
  6. Use test accounts you own (never other users’ accounts).
  7. Don’t attempt financial fraud, order manipulation, or theft.
  8. Comply with applicable laws at all times.

4) How to Report

Send us an email at security@gardeneggchair.co.uk (or contact@gardeneggchair.co.uk) with:

  • Title & severity estimate
  • Affected domain/endpoint
  • Detailed reproduction steps / PoC (curl, Burp request, screenshots, or video)
  • Impact and likelihood (what can an attacker do?)
  • Any logs or indicators of compromise you observed
  • Your contact & payment details (if you’re seeking a bounty)

We will:

  • Acknowledge your report within 3 business days
  • Provide a status update at least every 14 days
  • Notify you when it’s fixed and, if applicable, discuss bounty reward

5) Bounty Rewards (Good-Faith, Discretionary)

Rewards depend on impact, exploitability, quality of report, and novelty. We reward the first valid, reproducible report of a given issue. Multiple issues caused by the same underlying bug may be grouped as one bounty. All amounts below are maximums—final rewards are at our discretion.

SeverityExample ImpactMax Reward
CriticalRCE, full account takeover, vertical auth bypass, SQLi with targeted data leak£200
HighLateral auth bypass, stored XSS affecting other users, sensitive data exposure, insecure auth cookies£100
MediumSignificant business logic flaws, Insecure Direct Object References (IDOR), meaningful CSRF£50
LowOpen redirect, reflected XSS with limited impact, low-risk info disclosureThanks / Hall of Fame

Payment method: Usually PayPal or bank transfer. You are responsible for any taxes in your jurisdiction.

6) What Not to Report (Examples)

  • Missing security headers without demonstrated exploit (e.g., X-Frame-Options)
  • Best-practice cookie flags on non-sensitive cookies
  • Version disclosure banners
  • Rate-limiting or brute-force on non-sensitive endpoints
  • Self-XSS, clickjacking (non-sensitive), or Open Redirect without clear exploit
  • Vulnerabilities that require MITM on the same local network without a clear payoff

7) Publication & Disclosure

  • Please do not publicly disclose the vulnerability (blog, tweet, repo, etc.) until we confirm the fix and give permission.
  • We may publish a summary of your report (crediting you if you wish) once the issue is resolved.

8) Contact

Security Team – Garden Egg Chair

(trading name of FURNITURE STAR LIMITED, 10947027)

Email: support@gardeneggchair.co.uk

Phone: +44 161 391 2033

Address: 29 Ystrad Road, Fforestfach, Swansea, Wales, SA5 4LH, United Kingdom