Policies

Vulnerability Disclosure Process

Elisian Ltd  ·  Company No. 10276624  ·  Last reviewed: June 2026

Our commitment to security

Elisian takes the security of our platform and the data we hold on behalf of our clients very seriously. We recognise that security researchers and the broader community play an important role in identifying vulnerabilities. We welcome responsible disclosure from anyone who believes they have found a security issue in our products or infrastructure.

Scope

This process applies to vulnerabilities discovered in:

  • The Elisian web application and platform (app.elisian.co.uk)
  • The Elisian marketing website (elisian.co.uk)
  • Elisian APIs and integrations
  • Elisian-managed infrastructure and services

This process does not cover vulnerabilities in third-party systems or services that we do not operate, even where they may be linked to or integrated with our platform.

How to report

If you believe you have identified a security vulnerability, please report it to us by email at security@elisian.co.uk. Please include the following information in your report:

  • A description of the vulnerability and the potential impact
  • The steps required to reproduce the issue, including URLs, request/response data, and any tools used
  • Your name and contact details (optional, but required if you would like acknowledgement)

Where possible, please encrypt your report using our PGP key, available on request.

What to expect from us

  • We will acknowledge receipt of your report within 2 business days
  • We will aim to provide an initial assessment of the report within 5 business days
  • We will keep you informed of our progress as we investigate and remediate the issue
  • We will notify you when the vulnerability has been resolved

Responsible disclosure guidelines

We ask that you:

  • Give us a reasonable amount of time to investigate and remediate before disclosing publicly
  • Do not access, modify, or delete data belonging to Elisian or our clients
  • Do not perform actions that could disrupt or degrade our services
  • Do not conduct social engineering, phishing, or physical security attacks
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it

We will not take legal action against researchers who follow these guidelines in good faith. We may publicly acknowledge individuals or organisations who report valid vulnerabilities, with their permission.

Out of scope

The following are generally considered out of scope for this process:

  • Denial of service attacks
  • Spam or social engineering of Elisian employees or clients
  • Vulnerabilities in third-party software or services not under Elisian's control
  • Issues without a demonstrable security impact (e.g., missing HTTP headers that do not create a realistic attack vector)
  • Known or previously disclosed vulnerabilities

Contact

Security disclosures: security@elisian.co.uk

General enquiries: hello@elisian.co.uk