Responsible Disclosure Policy

Overview & scope

Centili Group Ltd. (Centili) operates direct-carrier-billing, mobile-payment, content-monetisation and SIM-security services across a large network of mobile-network-operator integrations. We welcome reports from the security research community and recognise that the responsible disclosure of vulnerabilities helps us keep our customers, partners and end users safe.

This Responsible Disclosure Policy (also referred to as our Vulnerability Disclosure Programme, or VDP) sets out how you may investigate and report security issues without fear of legal consequences, provided you act in good faith and follow the guidelines below. It is intended to give security researchers clear rules of engagement and to give us a coordinated, structured way to receive and remediate reports.

This policy applies to the systems, domains and services identified as in scope below. It does not grant any right to access, test or disrupt the systems of our customers, partners, carriers or any third party. If you are unsure whether a target is covered, contact us at security@centili.co.uk before testing.

What is in scope

The following assets are generally in scope for this programme, subject to the guidelines and exclusions in this policy:

• Our primary website and its sub-domains, including centiligroup.com and https://www.centiligroup.com.
• Public-facing application programming interfaces (APIs) operated by Centili.
• Customer- and partner-facing portals, dashboards and authentication systems that we own and operate.
• Server-side and client-side vulnerabilities that have a realistic, demonstrable security impact on Centili, our customers or end users.

Examples of issues we are interested in include remote code execution, injection flaws (SQL, command, template and similar), authentication or authorisation bypass, server-side request forgery, insecure direct object references exposing other users' data, significant sensitive-data exposure, business-logic flaws affecting billing or payment integrity, and exploitable cross-site scripting.

If you discover a vulnerability in a service that we operate but which is not explicitly listed here, please still report it. We will assess whether it falls within scope and treat any good-faith report in line with the safe-harbour provisions below.

What is out of scope

The following are generally not eligible under this programme. Reports limited to these categories are unlikely to be actioned and should not be tested in ways that could cause harm:

• Systems, networks or data belonging to our carriers, customers, partners or any other third party — even where reached through a Centili integration. You must not test these.
• Denial-of-service (DoS/DDoS), volumetric attacks, resource-exhaustion testing, or any activity that degrades or interrupts our services.
• Social engineering, phishing, vishing or smishing of our staff, contractors, customers or end users; physical attacks against our offices or data centres.
• Reports generated solely by automated scanners without a demonstrated, exploitable impact, and theoretical vulnerabilities without a working proof of concept.
• Missing security headers, cookie flags, SPF/DKIM/DMARC configuration, TLS configuration weaknesses, or other best-practice findings with no demonstrable exploit.
• Self-XSS, clickjacking on pages with no sensitive actions, login/logout CSRF, and other issues requiring unlikely user interaction or an already-compromised device.
• Rate-limiting or brute-force findings on non-authentication endpoints, verbose error messages, and software version disclosure without a linked, exploitable vulnerability.
• Vulnerabilities in third-party services, libraries or platforms that we consume but do not control — please report these to the relevant vendor.

Our commitments

When you report a vulnerability to us in line with this policy, we commit to the following:

• Acknowledge receipt. We will confirm that we have received your report, normally within three (3) working days.
• Investigate in good faith. We will triage and validate your report, keep you informed of our progress at reasonable intervals, and let you know our remediation plan and indicative timeline.
• Work collaboratively. We will work with you to understand and resolve the issue quickly, and we may contact you for additional information where necessary.
• Respect coordinated disclosure. We will agree a mutually acceptable disclosure timeline with you and will not ask you to keep an issue confidential for an unreasonable period.
• No legal action for good-faith research. We will not pursue or support legal action against researchers who comply with this policy and act in good faith, as set out under Safe harbour below.

Safe harbour

Centili considers security research and vulnerability disclosure activities conducted in accordance with this policy to be authorised conduct. We will not initiate or recommend legal action against you, and we will take reasonable steps to make it known that your actions were authorised, provided that you:

• act in good faith and make a genuine effort to avoid harm to people, data and services;
• stay within the scope of this policy and follow the guidelines for researchers below;
• do not access, modify, delete or retain more data than is necessary to demonstrate the vulnerability;
• report the issue to us promptly and give us a reasonable opportunity to remediate before any disclosure; and
• do not exploit the vulnerability beyond the minimum required to prove it, and do not use it for any other purpose.

This safe harbour does not authorise activity that is unlawful under applicable law, including the Computer Misuse Act 1990, the Data Protection Act 2018 or the UK GDPR. Where your research inadvertently exceeds this policy or breaches the law, but you have nonetheless acted in good faith, we will take that good faith into account in determining how to respond. This policy does not, and cannot, waive the rights of any third party, and the safe harbour does not extend to systems or data belonging to others.

Guidelines for researchers

To remain within the protections of this policy, we ask that you observe the following guidelines at all times:

• Respect privacy. Do not access, copy, download, retain or disclose personal data, payment data or other confidential information belonging to Centili or any third party. If you inadvertently encounter such data, stop immediately, do not save it, and tell us in your report.
• Do not destroy or alter data. Do not delete, modify, corrupt or render inaccessible any data or systems. Use only non-destructive, read-only proof-of-concept techniques wherever possible.
• Do not degrade our service. Avoid testing that could disrupt, overload or impair our services or those of our users. No denial-of-service, load testing, automated brute force or high-volume scanning.
• No social engineering. Do not attempt to phish, deceive, impersonate or otherwise socially engineer our staff, contractors, customers or end users, and do not attempt physical intrusion.
• Use test accounts where possible. Only interact with accounts you own or that you have explicit permission to use. Never pivot into, or attempt to access, other users' accounts or data.
• Give us reasonable time. Provide us with a reasonable period to investigate and remediate before disclosing the issue to anyone else, and coordinate any public disclosure with us in advance.
• Keep findings confidential. Do not disclose the vulnerability, or any data obtained through it, to any third party until we confirm it has been resolved or we mutually agree otherwise.
• Comply with the law. Always act lawfully and in accordance with this policy. When in doubt, ask us first.

How to report

Please send vulnerability reports to security@centili.co.uk. To help us triage and resolve your report quickly, please include as much of the following as you can:

• a clear description of the vulnerability and the security impact you believe it has;
• the specific product, domain, URL, endpoint or component affected;
• detailed, reproducible steps to reproduce the issue, including any required preconditions;
• a proof of concept (for example, a request/response, script or screenshot) demonstrating the issue;
• your assessment of severity and any relevant CVSS vector, if you have one;
• any tooling, accounts or IP addresses you used during testing; and
• how you would like to be credited, if your report is eligible for recognition (see below).

Encrypted & PGP contact

Where a report contains particularly sensitive details or proof-of-concept data, you may request our PGP key before sending it by emailing security@centili.co.uk, and we will provide our current public key so you can encrypt your submission. Please do not include live personal data, credentials or unredacted sensitive information in plain-text email. We will treat all reports as confidential.

If your report concerns a data protection matter or suspected personal-data breach, you may also wish to review our Privacy Policy; security and privacy reports are handled jointly by our security and data-protection teams.

What to expect & timelines

The timelines below are indicative targets rather than contractual guarantees. Actual timing depends on the complexity, severity and exploitability of the issue.

We will keep you updated at reasonable intervals throughout the process and will let you know once the issue has been resolved. We aim to agree any public disclosure with you so that it occurs only after affected users have been protected.

Recognition & rewards

We greatly value the contribution of the security research community. Where a report leads to a fix and you would like to be credited, we may publicly acknowledge you — for example in release notes or a security acknowledgements list — once the issue is resolved. Let us know in your report whether you wish to be credited and the name or handle you would like us to use; we are equally happy to keep your involvement private.

Centili does not currently operate a formal, advertised paid bug-bounty programme. Any monetary reward or token of appreciation is entirely discretionary, decided on a case-by-case basis, and is not guaranteed. Where we do choose to offer a reward, factors we consider include the severity, novelty, quality and clarity of the report and the impact of the vulnerability. Eligibility for any recognition or reward is conditional on full compliance with this policy and on you being the first person to report a previously unknown, valid issue.

Legal

This policy is governed by the laws of England and Wales, and any dispute arising out of or in connection with it is subject to the exclusive jurisdiction of the courts of England and Wales. Nothing in this policy authorises any activity that would breach applicable law, including the Computer Misuse Act 1990, the Data Protection Act 2018 or the UK GDPR.

This policy does not create any contractual relationship, employment relationship or other legal obligation between you and Centili Group Ltd., and it does not grant you any rights in our intellectual property. We may update or withdraw this policy at any time; the version published on our website at the time of your research governs that research. Your use of our websites and services remains subject to our Terms of Service and our Acceptable Use Policy.

By submitting a report, you confirm that you have not breached any law or third-party right in the course of your research, that your submission does not contain anyone else's confidential information beyond what is strictly necessary to demonstrate the issue, and that you grant us permission to use the contents of your report for the purposes of investigating and remediating the vulnerability.

Contact

To report a security vulnerability or ask a question about this policy, please contact our security team at security@centili.co.uk. For unrelated legal queries, you can reach us at legal@centili.co.uk.

Centili Group Ltd. is registered in England and Wales. Our registered office is [Registered office address — to be confirmed], United Kingdom.