Back to Policies

Responsible Disclosure Policy

Last updated: March 2026  —  TP Commercial Finance Ltd

1. Our Commitment

TP Commercial Finance Ltd is committed to maintaining the security of our platform and the data entrusted to us by UK lenders. We believe that responsible security research makes the internet safer for everyone, and we value the contributions of independent security researchers who help identify vulnerabilities in our systems.

If you have discovered a security vulnerability in the Loan Intel platform, our APIs, or associated infrastructure, we encourage you to disclose it to us responsibly. We commit to working with you in good faith to understand, validate, and remediate the issue promptly.

We will not pursue legal action against researchers who act in accordance with this policy. We ask that you give us the opportunity to address vulnerabilities before making any public disclosure.

2. Scope

This policy applies to security vulnerabilities in the following systems:

  • The Loan Intel web application at www.loan-intel.com
  • The Loan Intel marketing website at www.loan-intel.com
  • Our public-facing APIs
  • Authentication and authorisation systems
  • Any subdomain or service operated by TP Commercial Finance Ltd

The following are out of scope for this programme:

  • Denial of service attacks or any testing that could impact platform availability for other users
  • Physical security of our offices or data centres
  • Social engineering attacks targeting TPCF staff
  • Vulnerabilities in third-party services or libraries that are not within our control to fix
  • Theoretical vulnerabilities without a demonstrable proof of concept
  • Issues that require physical access to a user's device

3. What to Report

We are interested in hearing about the following types of vulnerability:

  • Authentication bypass or privilege escalation flaws
  • Injection vulnerabilities (SQL injection, command injection, SSTI, etc.)
  • Cross-site scripting (XSS) or cross-site request forgery (CSRF)
  • Sensitive data exposure or insecure direct object references
  • Broken access controls allowing access to other organisations' data
  • API security flaws including insecure rate limiting, missing authentication, or data over-exposure
  • Server-side request forgery (SSRF)
  • Subdomain takeover vulnerabilities
  • Security misconfigurations exposing sensitive information

4. How to Report

Please submit vulnerability reports by email to:

Security Contact

support@loan-intel.com

Your report should include:

  • A clear description of the vulnerability, including the type of issue
  • The URL, API endpoint, or system component affected
  • A step-by-step proof of concept demonstrating the vulnerability
  • Screenshots, request/response logs, or video where helpful
  • Your assessment of the potential impact
  • Your name or handle, if you wish to be acknowledged

Please do not access, modify, or delete data belonging to other users in the course of your research. If you inadvertently access data you are not authorised to view, please stop immediately and report this to us.

For particularly sensitive disclosures, please request our PGP public key at the above address before submitting.

5. Response Timeline

We are committed to the following response timelines from receipt of a valid vulnerability report:

24 hours

Initial acknowledgement

We will confirm receipt of your report and assign it a tracking reference.

5 business days

Triage & assessment

We will assess severity, reproduce the issue, and provide an initial impact assessment.

30 days

Target remediation

We aim to fix critical and high-severity vulnerabilities within 30 days of confirmation.

We will keep you informed of progress throughout the remediation process. For complex issues requiring extended remediation, we will agree a coordinated disclosure timeline with you.

6. What We Ask of Researchers

In return for our commitments above, we ask that you:

  • Act in good faith and do not exploit a vulnerability beyond what is necessary to demonstrate the issue
  • Do not access, exfiltrate, or destroy data belonging to other users
  • Do not conduct testing that could impair the availability of the Platform for others
  • Do not share details of the vulnerability with third parties until we have confirmed it is remediated, or until we have agreed a coordinated disclosure timeline
  • Provide us with a reasonable amount of time to respond before making any public disclosure
  • Keep all details of your research confidential pending remediation

7. Recognition

We maintain a Security Hall of Fame to recognise researchers who have made responsible disclosures that materially improved our security. With your permission, we will acknowledge your contribution by name or handle in our Hall of Fame upon successful remediation of a confirmed vulnerability.

At this time, we do not operate a monetary bug bounty programme. We evaluate all significant disclosures individually and may offer recognition or reward at our discretion for high-impact findings.

8. Legal Safe Harbor

TP Commercial Finance Ltd will not initiate legal action against individuals who discover and report security vulnerabilities in good faith and in accordance with this policy. We consider such research to be authorised conduct and will not pursue claims under the Computer Misuse Act 1990 or any other applicable legislation in respect of actions that comply with this policy.

This safe harbour applies provided that you:

  • Do not exceed the minimum access necessary to demonstrate the vulnerability
  • Do not access, modify, or destroy data you are not authorised to access
  • Do not disclose the vulnerability to third parties before we have had the opportunity to remediate it
  • Act in accordance with all other requirements of this policy

We cannot provide safe harbour in respect of actions that fall outside the scope of this policy, or where a researcher acts in bad faith.

← Back to all policies