Security · Responsible disclosure
Bug Bounty Program
Security is central to how we protect our customers and their data. If you're a researcher or penetration tester, we invite you to responsibly report vulnerabilities — and we reward valid findings based on their severity.
Reward tiers
Rewards are assessed once a report is triaged and confirmed. Final amounts are at ThePeptideCode's discretion, based on severity (CVSS), exploitability and quality of the report. Duplicate reports are rewarded to the first valid submitter.
Critical
£500 – £1,500Remote code execution, authentication bypass, payment manipulation, large-scale customer-data exposure.
High
£200 – £500Stored XSS, SQL injection, IDOR exposing other customers’ personal data, account takeover.
Medium
£75 – £200Reflected XSS, CSRF with real impact, meaningful sensitive-information disclosure.
Low
£25 – £75Low-impact misconfigurations and minor issues with limited security consequence.
In scope
- www.thepeptidecode.co.uk (storefront, cart, checkout & payment flows)
- Customer accounts, sign-in and one-time-code authentication
- Order tracking and account data endpoints (/api/*)
- wp.thepeptidecode.co.uk (headless WordPress/WooCommerce backend)
Out of scope
- Denial-of-service (DoS/DDoS) and volumetric or brute-force testing
- Social engineering, phishing, or physical attacks against staff or premises
- Automated scanner output with no demonstrated, reproducible impact
- Missing security headers or best-practice suggestions without a working exploit
- Self-XSS, clickjacking on pages with no sensitive actions, and rate-limiting reports
- Reports on third-party services (payment providers, email, CDN) — report those to the vendor
Rules of engagement
- Only test against your own accounts and test data — never access, modify or delete another user’s data.
- Do not run destructive tests, degrade our service, or exfiltrate more data than needed to prove an issue.
- Give us a reasonable time to investigate and remediate before any public disclosure.
- Provide clear, reproducible steps so we can validate and fix quickly.
- One vulnerability per report unless they must be chained to demonstrate impact.
Safe harbour
If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorised, will work with you to understand and resolve the issue quickly, and will not pursue or support legal action against you. If in doubt, ask us before testing.
What happens next
- 1Acknowledge. We aim to confirm receipt within 2 business days and give you a reference number.
- 2Triage. We validate the report, assess severity, and may ask you for more detail.
- 3Remediate. We fix the issue and keep you updated on progress.
- 4Reward. Once confirmed and fixed, we assess a reward based on the severity tiers above.
Submit a report
Please include clear reproduction steps and, where possible, a screenshot or proof-of-concept.