SECURITY · POLICY

Operated by Tamazia Ltd, a private limited company registered in England and Wales. Data Controller contact: dpo@tamazia.co.uk. Written correspondence: Tamazia Ltd, C1, Barking Wharf Square, London, IG11 7ZQ.

Reporting a vulnerability

Last updated 15 May 2026.

Scope

This policy covers tamazia.co.uk, tamazia.in, and any subdomain of either. It also covers Cloudflare Pages Functions deployed at the same hostnames. It does not cover third-party platforms we use such as Cal.com, Resend, or Cloudflare itself, which carry their own programs.

Coordinated disclosure

If you believe you have found a security vulnerability, write to founder@tamazia.co.uk with the subject line beginning "[Security]". Provide a clear reproduction path. We acknowledge receipt within 48 hours, return a triage decision within 7 days, and aim to remediate confirmed material issues within 30 days. We ask that you do not publicly disclose details for 90 days from acknowledgement, or until the issue is fixed, whichever is earlier.

Out of scope

The following are not eligible for coordinated handling because they reflect intended behaviour or third-party policy: missing CSP headers on third-party domains we link to; rate-limit responses; CAPTCHA challenges; CORS misconfiguration on cross-origin endpoints we do not own; volumetric denial-of-service; social engineering of staff; physical access attempts.

Safe harbour

Good-faith research conducted under this policy will not be subject to legal action by Tamazia provided you avoid privacy violations, data exfiltration beyond proof-of-concept, service degradation, and access to data belonging to others.

Acknowledgements

Researchers who follow this policy are listed at /security-acknowledgments/ with their consent.

Machine-readable

The same contact and policy URL is published at /.well-known/security.txt per RFC 9116.