Crescent Services has joined the CPC website so all our customers can access our frameworks and services in one place! Learn more 

CPC Swoosh

Vulnerability Disclosure Policy

How to report a vulnerability

If you believe you have found a security vulnerability affecting this website or a related service operated by Crescent Purchasing Consortium (CPC), please report it by email to [email protected]. Please provide enough information for us to understand and reproduce the issue safely.

  • The website, page, system, hostname, or IP address affected.

  • A brief description of the issue and why you believe it is a vulnerability.

  • Clear, non-destructive steps to reproduce the issue.

  • Any proof of concept, screenshots, logs, request and response details, or other supporting information that will help us validate the report.

  • Your contact details, if you would like us to keep you updated.

What you can expect from us

We will aim to acknowledge receipt of your report within 5 working days and to assess or triage it as quickly as reasonably possible. Timescales for investigation and remediation will vary depending on the nature, severity, complexity, and potential impact of the issue. We may contact you if we need further information.

We ask that you do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate it, and that any public disclosure is coordinated with us. We value responsible disclosure, but we do not operate a bug bounty programme and do not offer financial rewards for vulnerability reports.

Scope and safe testing

When investigating and reporting a vulnerability, you must act lawfully, in good faith, and avoid privacy breaches, disruption, or harm to users, staff, or services. Testing must be limited to the minimum necessary to confirm the existence of a vulnerability. In particular, you must not:

  • Access, download, or exfiltrate more data than is strictly necessary to demonstrate the issue.

  • Modify, delete, or destroy data.

  • Use high-intensity, invasive, or destructive scanning techniques.

  • Attempt denial of service, resource exhaustion, or any activity likely to degrade availability.

  • Exploit a vulnerability beyond what is necessary for a minimal proof of concept.

  • Introduce malicious code, malware, or persistence mechanisms.

  • Undertake phishing, social engineering, physical attacks, or attempts to access accounts that do not belong to you.

  • Test third-party systems, suppliers, or services unless they are clearly within our control and explicitly in scope.

Reports that relate solely to best-practice recommendations, missing headers, banner disclosure, version disclosure, rate limiting observations, clickjacking on low-risk pages, or similar low-risk configuration findings may not always be treated as vulnerabilities unless there is a clear, demonstrable security impact. Issues affecting third-party platforms should also be reported to the relevant provider where appropriate.

Data protection and confidentiality

If you encounter personal data or other sensitive information while testing, you must stop, avoid further access, keep the information secure, and report the issue to us immediately. You must not disclose, share, copy, retain, or use such information beyond what is strictly necessary for reporting the issue.

Nothing in this policy gives permission to break the law, access data without authorisation, or carry out activity that is inconsistent with this policy. We reserve the right to determine the scope of our systems and the appropriate response to any report.