Fena & Wallid payments are temporarily under maintenance — you can still place your order and pay by Direct Bank Transfer (BACS) at checkout
ThePeptideCode LTD
HPLC + MS verified, every batch≥99% purity — independently verifiedFree UK shipping over £100Trustpilot 4.6★ · 75+ reviews

Security · Responsible disclosure

Bug Bounty Program

Security is central to how we protect our customers and their data. If you're a researcher or penetration tester, we invite you to responsibly report vulnerabilities — and we reward valid findings based on their severity.

£500 – £1,500
Critical
£200 – £500
High
£75 – £200
Medium
£25 – £75
Low

Reward tiers

Rewards are assessed once a report is triaged and confirmed. Final amounts are at ThePeptideCode's discretion, based on severity (CVSS), exploitability and quality of the report. Duplicate reports are rewarded to the first valid submitter.

Critical

£500 – £1,500

Remote code execution, authentication bypass, payment manipulation, large-scale customer-data exposure.

High

£200 – £500

Stored XSS, SQL injection, IDOR exposing other customers’ personal data, account takeover.

Medium

£75 – £200

Reflected XSS, CSRF with real impact, meaningful sensitive-information disclosure.

Low

£25 – £75

Low-impact misconfigurations and minor issues with limited security consequence.

In scope

  • www.thepeptidecode.co.uk (storefront, cart, checkout & payment flows)
  • Customer accounts, sign-in and one-time-code authentication
  • Order tracking and account data endpoints (/api/*)
  • wp.thepeptidecode.co.uk (headless WordPress/WooCommerce backend)

Out of scope

  • Denial-of-service (DoS/DDoS) and volumetric or brute-force testing
  • Social engineering, phishing, or physical attacks against staff or premises
  • Automated scanner output with no demonstrated, reproducible impact
  • Missing security headers or best-practice suggestions without a working exploit
  • Self-XSS, clickjacking on pages with no sensitive actions, and rate-limiting reports
  • Reports on third-party services (payment providers, email, CDN) — report those to the vendor

Rules of engagement

  • Only test against your own accounts and test data — never access, modify or delete another user’s data.
  • Do not run destructive tests, degrade our service, or exfiltrate more data than needed to prove an issue.
  • Give us a reasonable time to investigate and remediate before any public disclosure.
  • Provide clear, reproducible steps so we can validate and fix quickly.
  • One vulnerability per report unless they must be chained to demonstrate impact.

Safe harbour

If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorised, will work with you to understand and resolve the issue quickly, and will not pursue or support legal action against you. If in doubt, ask us before testing.

What happens next

  1. 1
    Acknowledge. We aim to confirm receipt within 2 business days and give you a reference number.
  2. 2
    Triage. We validate the report, assess severity, and may ask you for more detail.
  3. 3
    Remediate. We fix the issue and keep you updated on progress.
  4. 4
    Reward. Once confirmed and fixed, we assess a reward based on the severity tiers above.

Submit a report

Please include clear reproduction steps and, where possible, a screenshot or proof-of-concept.

PNG, JPG, WEBP, AVIF or GIF · max 8 MB each.

Prefer email? You can also write to security@thepeptidecode.co.uk.