responsible disclosure / bug bounty

No Financial Reward

As a small company, Westbury Digital isn't in a position to offer financial remuneration. However, I genuinely welcome responsible disclosure and value the effort that goes into finding real issues.

What's In Scope

Genuine, exploitable vulnerabilities with a demonstrable attack path. Examples: XSS with real impact, authentication or authorisation bypasses, SQL injection, sensitive data exposure, or similar issues where you can show meaningful harm.

What's Out of Scope

The following will not be accepted or acknowledged:

• Outdated library versions — a CVE against a library (e.g. jQuery) is not a finding unless you can demonstrate that a vulnerable function is actually being invoked and exploitable in this specific context.
• Rate limiting — do not test, probe, or report rate limiting on any endpoint.
• Data alteration or deletion — any attempt to modify, corrupt, or delete data is outside scope and unwelcome.
• Automated scanner output — raw results from Nikto, Burp passive scan, or similar tools with no manual verification or demonstrated impact.
• Missing security headers without demonstrated impact — e.g. absence of a clickjacking header on a site with no login functionality.
• Email configuration — SPF, DKIM, DMARC, MTA-STS, and related DNS findings.
• Denial of service — do not flood, load test, or otherwise attempt to degrade the servers.