Security
Vulnerability Disclosure Policy · Last updated: 3 March 2026
1. Reporting a vulnerability
If you discover a security vulnerability in DrivePro, please report it to us by email at security@drivepro.co.uk.
Please include in your report:
- A description of the vulnerability and where it was found
- Step-by-step instructions to reproduce the issue
- The potential impact you believe it could have
2. What to expect
- Acknowledgement of your report within 2 business days
- A status update within 10 business days once we have assessed the issue
- Notification when the vulnerability has been resolved
3. Safe harbour
We will not pursue legal action against researchers who discover and report security vulnerabilities in good faith, provided they:
- Follow this disclosure policy
- Do not access, modify, or delete data belonging to other users
- Do not disclose the vulnerability publicly before we have had a reasonable opportunity to fix it
- Report the issue to us promptly
4. Out of scope
The following are outside the scope of this policy:
- Social engineering attacks against DrivePro staff or customers
- Physical security attacks
- Denial of service attacks
- Vulnerabilities in third-party services we use (Stripe, AWS, HMRC)
5. Privacy
Any personal information you provide in a vulnerability report will be handled in accordance with our Privacy Policy. We will only use it to investigate and resolve the reported issue.