Responsible Disclosure Policy Responsible Disclosure Policy

Responsible Disclosure Policy

Permanently deleted user Permanently deleted user

This policy is intended to give guidance for submitting potential vulnerabilities discovered on the Boomf website, mobile apps or other technical services provided by Boomf.

Our responsible disclosure process allows us to take steps to address any vulnerabilities, thereby protecting our customers, colleagues and systems.


If you are having issues using our website or services but not related to you finding a technical or security vulnerability then please contact our Customer Service team on and they will be happy to assist you.


We strive to uphold solid security standards and practices and ensure we keep our services as secure as we can but we know bugs can happen and technology and practices are always changing.

We really appreciate those who take the time and effort to report security vulnerabilities to us according to this policy and we want to thank you for disclosing these if you find any. 


Unfortunately, we are unable to offer any financial incentives or gifts for raising vulnerability disclosures.


When disclosing a vulnerability, we ask that you:

  • Email your findings to (including a description of the problem, what the problem affects and any necessary reproduction steps).
  • Don’t access unnecessary, excessive or significant amounts of data. 
  • Only use your own Boomf account(s) for any proof of concept. Please do not create additional accounts to test these either.
  • Don’t tell anyone else about the problem until we’ve responded, addressed (and if appropriate) contacted any affected users.
  • Don't publish details about the vulnerability online.
  • Don’t run any automated tools against our website (examples include, but are not limited to, Nikto, Burp scanner, Nessus, etc).
  • Don’t target our physical security, perform any social engineering, denial of service, spam or target applications of third parties, or otherwise break any laws.


What you can expect from us:

  • We’ll respond to you within 10 business days acknowledging your disclosure, this may not detail out what we will do as that might need more time but we will be in touch.
  • We’ll keep you up-to-date as we investigate and address your disclosure.
  • Prioritisation for remediation considers the impact, severity and complexity of the vulnerability. Given this, please understand that it may take some time for a fix to be implemented.

Please note. If we find you have exploited or in any way used any found vulnerability in a way that goes against this policy we will be forced to report you to the relevant authorities in the UK and possibly other countries if required.