Datumbase|Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Effective: April 2026  ·  Reviewed annually

Datumbase is operated by Brockhurst Property Ltd and handles sensitive CDM and construction compliance documents. We take security seriously. If you have found a vulnerability, we want to hear from you — privately, before it can be exploited.

1. How to report a vulnerability

Send your report by email to security@datumbase.tech. Please include:

  • A clear description of the vulnerability
  • The URL, endpoint, or component affected
  • Steps to reproduce (or a proof-of-concept if available)
  • The potential impact as you assess it
  • Your name / handle if you would like to be credited

Our security.txt file is available at /.well-known/security.txt per RFC 9116.

2. What happens after you report

MilestoneTarget timeframe
AcknowledgementWithin 2 business days
Triage / initial assessmentWithin 5 business days
Remediation of critical issuesWithin 14 days where possible
Remediation of other confirmed issuesWithin 30 days
Notification to reporter on resolutionWhen patched or mitigated

We will keep you informed if remediation takes longer than the target. We do not currently offer a monetary bug bounty, but we will credit researchers in our release notes where they consent to attribution.

3. Scope

In scope:

  • IN SCOPE  Web application — app.datumbase.tech (also compliance.datumbase.tech)
  • IN SCOPE  API endpoints under app.datumbase.tech/api/*
  • IN SCOPE  Authentication flows (magic link, passkey, OAuth)
  • IN SCOPE  Authorisation and access control (cross-tenant data access, RBAC bypass)
  • IN SCOPE  File upload and storage security
  • IN SCOPE  CDM document handling and retention enforcement

Out of scope:

  • OUT OF SCOPE  Infrastructure operated by Supabase, Vercel, or other sub-processors
  • OUT OF SCOPE  Denial-of-service attacks (DoS/DDoS)
  • OUT OF SCOPE  Social engineering of Datumbase staff
  • OUT OF SCOPE  Physical security
  • OUT OF SCOPE  Automated scanner results with no evidence of exploitability
  • LOWER PRIORITY  Missing security headers already documented as remediation items
  • LOWER PRIORITY  TLS configuration issues (managed by Vercel)

4. Rules of engagement

We ask all reporters to follow these guidelines:

  • Do not access, modify, or delete data that is not yours. Use your own account and test data only.
  • Do not perform automated scanning against production infrastructure without prior permission.
  • Do not exploit the vulnerability beyond what is necessary to confirm it exists.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it. We ask for 30 days before any public disclosure.
  • Act in good faith. Do not conduct research that causes harm to Datumbase or its customers.

5. Safe harbour

Brockhurst Property Ltd will not pursue legal action against researchers who:

  • Discover and report security vulnerabilities in good faith
  • Follow the rules of engagement set out in this policy
  • Do not access, exfiltrate, destroy, or modify customer data
  • Provide us with a reasonable time to resolve the issue before any disclosure

This safe harbour applies to research conducted under this policy. Activity that falls outside the scope defined above, or that breaches the rules of engagement, is not covered.

This policy is not a legal contract, but reflects our genuine commitment to working constructively with security researchers.

6. Contact

All vulnerability reports should be sent to security@datumbase.tech. For general security enquiries, you may also use this address.

For privacy and data protection matters, contact privacy@datumbase.tech.

← Security overviewSign in

Datumbase is operated by Brockhurst Property Ltd, England & Wales.