Security Policy
Last updated: 23 December 2025
Our Commitment to Security
At Jerry Can Spirits®, we take the security of our systems and the protection of our customers' data seriously. We appreciate the security research community's efforts in helping us maintain the highest security standards.
This policy outlines our guidelines for responsible disclosure of security vulnerabilities and how we handle security reports.
Reporting a Vulnerability
How to Report
If you believe you've discovered a security vulnerability in our systems, please report it to us immediately:
Email: security@jerrycanspirits.co.uk
Please use "SECURITY VULNERABILITY" in the subject line
What to Include
To help us understand and resolve the issue quickly, please include:
- Description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Proof of concept (if applicable)
- Any relevant screenshots or logs
- Your contact information for follow-up questions
- CVE ID (if already assigned)
Our Response Process
Timeline
- Initial Response: Within 48 hours of receiving your report
- Status Updates: Regular updates throughout our investigation
- Resolution: We aim to resolve critical issues within 30 days
- Disclosure: Coordinated disclosure after the issue is resolved
What You Can Expect
- Acknowledgment of your report within 48 hours
- Regular communication about the progress of your report
- Credit for your discovery (if you wish to be acknowledged)
- A transparent and collaborative approach to resolving the issue
Responsible Disclosure Guidelines
Please Do:
- Report vulnerabilities as soon as you discover them
- Provide detailed information to help us reproduce and fix the issue
- Give us reasonable time to address the vulnerability before public disclosure
- Act in good faith to avoid privacy violations, data destruction, or service disruption
Please Do Not:
- Access or modify data that does not belong to you
- Perform actions that could harm our systems or users
- Publicly disclose the vulnerability before we have had time to address it
- Exploit the vulnerability for personal gain
- Access, download, or modify user data without explicit permission
- Conduct testing that impacts our service availability
Scope
In Scope
- jerrycanspirits.co.uk and all subdomains
- Our web application and API endpoints
- Authentication and authorization mechanisms
- Payment processing systems
- Customer data handling
Out of Scope
- Third-party services we use (please report directly to the vendor)
- Social engineering attacks
- Physical security issues
- Denial of Service (DoS) attacks
- Email/SMS bombing
Rewards & Recognition
While we do not currently offer a bug bounty program, we deeply appreciate the efforts of security researchers who help keep our platform safe.
What We Offer
- Public acknowledgment of your contribution (with your permission)
- A sincere thank you from our team
- The satisfaction of helping protect our customers
Legal Safe Harbor
We consider security research conducted in accordance with this policy to be:
- Authorized in accordance with the Computer Misuse Act 1990
- Lawful and we will not pursue legal action against you
- Good faith security research
We will not bring any legal action against researchers who discover and report vulnerabilities in accordance with this policy.
Security Best Practices
We maintain the following security measures to protect our systems and customer data:
- Content Security Policy (CSP) implementation
- DNSSEC for DNS security
- HSTS preloading for HTTPS enforcement
- Regular security audits and monitoring
- Encryption of data in transit and at rest
- Web Application Firewall (WAF) protection
- DDoS mitigation across multiple layers
- Regular security updates and patches
Contact Information
For security-related inquiries:
Security Email: security@jerrycanspirits.co.uk
General Contact: Contact Form
Company: Jerry Can Spirits® Ltd, United Kingdom
Related Policies
• Privacy Policy - How we handle your personal data
• Cookie Policy - Our use of cookies and tracking
• Terms of Service - Terms governing use of our website
This Security Policy was last updated on 23 December 2025.
We may update this policy from time to time. We encourage you to review it periodically.