RTC North Logo

Security Policy

# RTC North - Responsible Disclosure Policy

Last updated: 21 January 2026

RTC North is committed to maintaining the security and reliability of our digital services.

We value the work of independent security researchers and welcome responsible vulnerability reports that help us keep our systems safe for everyone.

This policy outlines how to report a security concern, what you can expect from us, and what we request from researchers when investigating potential issues.

1. Our Commitment to Security

We take the security of our users, systems and data seriously. If you identify a potential vulnerability in any website, system or service operated by RTC North, we encourage you to report it privately and responsibly.

We will:

  • Acknowledge valid reports within **5 working days** 
  • Provide regular updates during triage 
  • Prioritise fixes based on severity
  • Notify you when the issue has been resolved
  • Credit you (with consent) on our acknowledgments page 

2. How to Report a Vulnerability

Please report security issues via:

  • Email: security@rtcnorth.co.uk
  • Form: https://rtcnorth.co.uk/contact/

When submitting a report, please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact
  • Any relevant screenshots or proof‑of‑concept details
  • Your preferred contact details 

Please avoid sharing sensitive information in plain text unless absolutely necessary.

3. Safe Harbour

We support responsible security research conducted in good faith.

As long as you follow this policy:

  • We **will not pursue legal action** against you
  • We **will not involve law enforcement**, unless required by law or if your actions appear malicious
  • We consider your research to be **authorised access** for the purpose of anti‑hacking laws  under UK interpretations of the Computer Misuse Act 

These protections apply provided that:

  • You do not intentionally access, modify or delete data
  • You do not disrupt our services or degrade performance
  • You do not conduct social engineering or phishing
  • You do not access accounts, personal data or internal systems
  • You report the issue promptly and do not disclose it publicly until we give permission 

4. In‑Scope and Out‑of‑Scope

IN SCOPE:

  • Public‑facing RTC North websites (e.g. https://rtcnorth.co.uk)
  • Subdomains operated by RTC North
  • Misconfigurations or security issues in our public infrastructure
  • TLS/HTTPS configuration issues
  • Authentication and session management issues
  • Cross‑site scripting (XSS), CSRF, access control issues
  • Sensitive data exposure 

OUT OF SCOPE:

  • Denial‑of‑service attacks (DoS or DDoS)
  • Automated scanning that may degrade service
  • Social engineering of RTC North employees or partners
  • Vulnerabilities in services not operated by RTC North
  • Physical security testing
  • Spam or email security issues
  • Reports without actionable information 

If you’re unsure whether something is in scope, please ask — we’re happy to advise.

5. Coordinated Disclosure

We ask that you:

  • Give us adequate time to investigate and fix the issue
  • Do not share or publish details until remediation is complete
  • Avoid accessing personal data during testing
  • Communicate privately and directly through our channels 

We will inform you when the issue has been fully resolved and if/when public disclosure is safe.

6. Thank You

We appreciate the expertise and time of the security research community. Your efforts help us maintain a safe and trustworthy digital environment for the organisations we support across the North of England.

If you have questions about this policy, please contact us at enquiries@rtcnorth.co.uk.