Shamzeco Limited

Company Registration Number: 16105185
Registered Office: 10 Kelsall Grove, Leeds, LS6 1QY, United Kingdom

Effective Date: [10 January 2026]
Version: 1.0

1. Introduction

Shamzeco Limited (“we”, “our”, or “us”) values the security of our retail e-commerce platform, www.shamzeco.com, and our customers’ data. We recognize the important role that security researchers and the broader community play in keeping our digital environment secure. This Responsible Disclosure Policy outlines our approach to receiving and addressing security vulnerability reports.

2. Our Commitment

We are committed to:

  • Working collaboratively with security researchers to validate and address potential vulnerabilities
  • Maintaining transparency and open communication throughout the disclosure process
  • Not taking legal action against individuals who discover and report security vulnerabilities in accordance with this policy
  • Fixing validated vulnerabilities in a timely manner

3. Scope

This policy applies to the following assets:

  • Primary domain: www.shamzeco.com
  • Associated subdomains
  • Our mobile applications
  • Customer-facing APIs

Out of Scope:

  • Third-party services not directly operated by Shamzeco Limited
  • Social engineering attacks
  • Physical security assessments
  • Denial of Service (DoS/DDoS) attacks
  • Network-level attacks
  • Spam or email-related issues
  • Theoretical vulnerabilities without proof-of-concept
  • Issues related to software dependencies without demonstrated impact

4. Guidelines for Responsible Disclosure

We request that security researchers:

Do:

  • Report potential vulnerabilities as soon as they are discovered
  • Provide detailed reports with steps to reproduce the vulnerability
  • Include proof-of-concept code or screenshots where possible
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Keep information about discovered vulnerabilities confidential until we have resolved the issue
  • Test only on your own accounts or with explicit permission from account holders

Don’t:

  • Access or modify data that does not belong to you
  • Perform actions that could impact the availability of our services
  • Use automated scanning tools that may generate significant traffic
  • Disclose the vulnerability to third parties before we have had reasonable time to address it
  • Engage in extortion, threats, or other coercive tactics
  • Violate any applicable laws or regulations

5. Reporting a Vulnerability

Please submit vulnerability reports to: [email protected]

Required Information:

  • Description of the vulnerability and its potential impact
  • Steps to reproduce (include URLs, payloads, screenshots, etc.)
  • Affected component/version (if applicable)
  • Your contact information (optional, but helpful for clarification)

Encryption: For sensitive reports, you may encrypt your email using our PGP key (available upon request).

6. What to Expect

Upon receiving your report:

  1. Acknowledgement: We will acknowledge receipt within 48 business hours
  2. Validation: Our security team will validate the reported vulnerability within 7 business days
  3. Assessment: We will assess the severity and impact
  4. Remediation: We will work to fix validated vulnerabilities and provide an estimated timeline
  5. Notification: We will notify you when the vulnerability is resolved
  6. Acknowledgement: With your permission, we may acknowledge your contribution in our security hall of fame

Our Response Timeline:

  • Critical vulnerabilities: Immediate attention and resolution
  • High severity: Resolution within 14 days
  • Medium severity: Resolution within 30 days
  • Low severity: Resolution within 90 days

7. Safe Harbor

We will not initiate legal action against individuals who:

  • Engage in testing/research consistent with this policy
  • Report vulnerabilities in good faith
  • Do not cause harm to Shamzeco Limited, our customers, or our services
  • Comply with all applicable laws

We consider security research conducted under this policy to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)
  • Exempt from restrictions in our Terms of Service that would prohibit security research
  • Lawful, helpful to the overall security of the internet, and conducted in good faith

8. No Rewards/Bounties

Currently, Shamzeco Limited does not operate a bug bounty program and does not offer monetary rewards for vulnerability reports. However, we may, at our discretion:

  • Publicly acknowledge your responsible disclosure (with your permission)
  • Provide a letter of appreciation for employment or academic purposes
  • Consider other non-monetary recognition

9. Legal

This policy is not an authorization, contract, or license to:

  • Conduct security testing outside the scope described
  • Act in any manner inconsistent with applicable laws
  • Access systems or data beyond what is necessary to demonstrate a vulnerability

Shamzeco Limited reserves the right to modify this policy at any time. Changes will be communicated on this page.

10. Contact

For questions about this policy or to discuss a potential vulnerability, please contact:

Shamzeco Limited Security Team

Email: [email protected]
Postal Address: 10 Kelsall Grove, Leeds, LS6 1QY, United Kingdom

For urgent security matters outside of business hours, please include “URGENT SECURITY” in your email subject line.