Security Disclosure Policy

Email contact@branddesign.ltd with subject line "Security Disclosure". Include:

• A description of the vulnerability
• Steps to reproduce
• The affected URL or system
• Your preferred contact method for follow-up
• (Optional) Your name or handle for public acknowledgement

Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate it (30 days from acknowledgement, or sooner by mutual agreement).

This policy applies to:

• branddesign.ltd and all its subdomains
• branddesign.live (legacy domain, redirects to .ltd)
• All client websites where Brand Design Ltd. retains operational responsibility
• Public APIs we publish at /.well-known/openapi.json
• The free AI Audit tool at /ai-audit
• The chat widget and its backend at /chat-api.php

The following are not eligible for vulnerability disclosure under this policy:

• Denial-of-service attacks or testing
• Social engineering of staff or clients
• Physical attacks on premises
• Issues in third-party services we do not control (Hostinger CDN, Google services, Anthropic API, etc.)
• Reports without reproducible proof-of-concept
• Vulnerabilities in third-party plugins or libraries we have not modified
• Automated scanner output without manual verification

Acknowledge the report within 48 hours of submission.

Investigate the issue within 7 days and confirm whether it is in scope.

Remediate valid vulnerabilities within 30 days (or communicate a clear extended timeline if the fix requires architectural changes).

Credit the reporter publicly on this page (if they consent) once the issue is resolved.

Safe harbour: we will not pursue legal action against good-faith researchers who follow this policy.

Our machine-readable security disclosure file follows the RFC 9116 standard and is published at:

https://branddesign.ltd/.well-known/security.txt

This file allows automated security tooling to discover our vulnerability disclosure channels without manual lookup. It is verified valid by securitytxt.org and machine-readable for security agents.

If your report contains sensitive information (production credentials, exploit payloads, etc.), you may request our PGP public key by email. We will respond with the key fingerprint within 24 hours.

Alternative: encrypted upload via https://files.branddesign.ltd/upload (on request).

Primary email: contact@branddesign.ltd
Phone: +359 877 57 00 79 (during EU business hours)
Languages: English, Bulgarian
Policy expiry: 2027-12-31T23:59:59Z (renewal review annually)
Canonical URL: https://branddesign.ltd/.well-known/security.txt

No public vulnerability disclosures have been processed under this policy yet. As reporters consent to public credit, this list will be updated.

If you have submitted a report and we have not responded within 48 hours, please email contact@branddesign.ltd with subject "Security Followup".