Security
Vulnerability Disclosure Policy
Introduction
myBursary is used by schools and colleges across England to administer the 16–19 Bursary Fund. The platform holds sensitive financial eligibility data about young people, and the security of that data is our responsibility. We welcome reports from security researchers and members of the public who identify vulnerabilities in our systems.
This policy sets out how to report a vulnerability, what information helps us most, and what you can expect from us in response.
How to report
Send your report by email to [email protected]. Please use this address for all security reports, including potential data breaches, exposed credentials, and suspected vulnerabilities in the platform or our public website.
If your report contains highly sensitive information, you may request our PGP public key before sending by emailing the address above.
Please do not report security vulnerabilities through public channels such as GitHub issues, social media, or the general contact form.
What to include
The more detail you can provide, the faster we can triage and address the issue. Helpful information includes:
- A description of the vulnerability and its potential impact
- The URL or component affected
- Step-by-step instructions to reproduce the issue
- Screenshots, screen recordings, or proof-of-concept code where relevant
- Your name and contact details (optional, but needed if you would like acknowledgement)
Please limit your testing to what is necessary to demonstrate the vulnerability. Do not access, modify, or delete data belonging to other users, and do not perform testing that could affect the availability of the platform for others.
What to expect from us
We aim to respond to all reports within 2 business days to acknowledge receipt and confirm that we are investigating.
We will keep you informed of our progress and aim to provide a resolution timeline within 5 business days of acknowledgement. For complex vulnerabilities, we may request additional time and will communicate that to you.
We will notify you when the issue has been resolved, and where you have provided contact details and consented, we are happy to credit your report.
We do not currently operate a paid bug bounty programme.
In scope
The following are in scope for this policy:
- mybursary.org and its subpages
- Institution subdomains (*.mybursary.org) and the platform application
- Authentication and account security (login, MFA, session management)
- Data access controls and tenant isolation
- File upload handling and stored evidence documents
- API endpoints used by the platform
Out of scope
The following are outside the scope of this policy:
- Vulnerabilities in third-party services or software we use but do not control
- Social engineering attacks targeting our staff
- Physical security of our infrastructure
- Denial-of-service attacks or attempts to degrade platform availability
- Automated scanning without prior agreement
- Reports based solely on the output of automated scanners with no manual verification
- Clickjacking on pages with no sensitive actions
- Missing security headers where there is no demonstrable impact
Safe harbour
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy. We consider responsible security research to be a valuable contribution.
To qualify for safe harbour, your research must:
- Be conducted in a way that avoids harm to users, institutions, or the platform
- Not involve accessing, exfiltrating, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability
- Be reported to us promptly and not disclosed publicly before we have had a reasonable opportunity to address it
- Not involve testing on production accounts belonging to real institutions or students without their consent
If in doubt about whether a particular test is in scope or acceptable, please contact us before proceeding.
Acknowledgement
We maintain a record of responsibly disclosed vulnerabilities. If you would like to be acknowledged for a valid report, please include your name or handle in your submission. We will confirm your preferred credit wording before publishing.
Contact
Security Team, Senha Ltd t/a myBursaryEmail: [email protected]