How to report
The fastest way to reach us is by email. Please include as much detail as you can — the issue itself, how to reproduce it, the affected software (no~bull books, no~bull visa, or the website), and the potential impact as you see it.
Security contact
security@nobull.consulting
What to expect
- We aim to acknowledge your report within 48 hours.
- We'll keep you updated as we investigate and triage.
- For confirmed issues, we'll let you know when a fix is being deployed and when it's live.
- With your permission, we'll credit you publicly once the fix is in place. If you prefer to stay anonymous, that's fine too.
Responsible disclosure
We ask that you:
- Give us reasonable time to investigate and address the issue before disclosing publicly.
- Avoid accessing, modifying, or deleting customer data beyond what's necessary to demonstrate the issue.
- Don't disrupt service or perform tests that could degrade availability for other customers.
- Don't attempt social engineering against staff or customers.
We don't currently operate a paid bug bounty programme, but we genuinely appreciate the work that researchers do. If you've made a meaningful contribution to making no~bull more secure, we'll be glad to acknowledge it.
What's in scope
- The no~bull books application and its supporting infrastructure
- The no~bull visa application and its supporting infrastructure
- The nobull.consulting website
What's out of scope
- Vulnerabilities in third-party services we depend on (Google Workspace, HMRC APIs, etc.) — please report these directly to the vendor.
- Issues that require physical access to a user's device.
- Social engineering, phishing, and physical security.
- Denial-of-service attacks and brute force attempts.