• Care Homes
• Advice
• News
• Contact Us

Sign in or Register

Last updated: 28th April 2026

1. Reporting a vulnerability

If you believe you have found a security vulnerability in YourCareHome, please report it to [email protected]. We read every report and will get back to you.

Please include:

• a description of the issue;
• the steps required to reproduce it;
• the potential impact as you see it; and
• any logs, screenshots or proof-of-concept material that helps us verify.

2. What is in scope

• yourcarehome.co.uk and its subdomains;
• vulnerabilities in our application code, configuration or infrastructure that result in unauthorised access, data leakage, account takeover, payment manipulation, or similar real-world harm.

3. What is out of scope

• denial-of-service attacks, volumetric or otherwise;
• social engineering, phishing, or physical attacks against our team or any provider;
• vulnerabilities that require an already-compromised user device;
• output of automated scanners without a working proof-of-concept;
• issues in third-party services we depend on (for example WooPayments, Cloudflare, or Google Maps Platform) — please report those to the owners of those services;
• missing security headers without a demonstrable exploit;
• self-XSS, clickjacking on pages without sensitive actions, and similar low-severity reports without a real-world impact.

4. Bounty

We do not currently run a paid bug bounty programme. We may, with your consent, acknowledge material reports on this page.

5. Response time

We aim to acknowledge legitimate reports within 14 days, and to fix or mitigate confirmed issues as quickly as resourcing allows. We are a small team — please be patient.

6. Safe harbour

YourCareHome will not pursue legal action against researchers who, in good faith, report security issues to us via the contact above and who:

• act within the scope set out above;
• avoid privacy violations, destruction of data, and disruption to our services;
• do not access, modify, or exfiltrate user data beyond the minimum necessary to demonstrate the issue; and
• allow us a reasonable time to fix the issue before any public disclosure.

7. Coordinated disclosure

We support coordinated disclosure. We ask that you give us 90 days from initial report (or sooner if we have already mitigated the issue) before publishing details. We are happy to credit you on this page if you would like to be named.

8. Machine-readable contact

A machine-readable version of this contact information is available at /.well-known/security.txt in the format described by RFC 9116.

9. Updates

This policy may be updated from time to time. The most recent version is always at /security-policy/.