Legal
Security Policy
Last updated: 17 April 2026
Purpose
This page sets out Varro's vulnerability disclosure policy. It explains what security research we welcome, what is out of scope, how to report a vulnerability to us, and the safe-harbour commitments we make to researchers who follow this policy. It is referenced from our machine-readable security contact file at /.well-known/security.txt (RFC 9116).
Reporting a vulnerability
If you believe you have found a security vulnerability affecting Varro, please email [email protected]. Please include: • The affected URL, endpoint, or component • A clear description of the issue • Step-by-step reproduction instructions • Your assessment of the impact • Any proof-of-concept code, screenshots, or request/response evidence • Whether you have disclosed this to any other party We aim to acknowledge reports within two working days.
In scope
Varro welcomes good-faith security research on: • Vulnerabilities affecting https://varro-tax.co.uk and its subdomains that compromise confidentiality, integrity, or availability of user data • Authentication and authorisation flaws (account takeover, session handling, privilege escalation) • Injection vulnerabilities (SQL, command, cross-site scripting) • Server-side request forgery (SSRF) affecting Varro-controlled infrastructure • Insecure direct object references that cross user boundaries • Cryptographic weaknesses affecting user data (bank-connection tokens, HMRC credentials, MFA secrets) • Issues in our Open Banking or HMRC integration handling that could expose user data • Sensitive data leakage in responses or error messages
Out of scope
The following are out of scope and will not be rewarded or treated as vulnerabilities: • Findings from automated scanners without manual validation and a clear proof-of-concept • Denial-of-service, resource-exhaustion, and rate-limit bypass testing (please do not attempt) • Social engineering of Varro staff, customers, or third-party providers • Physical security attacks • Issues affecting unsupported browsers or outdated operating systems • Missing security headers without a demonstrated exploit (reported for awareness but not eligible for safe harbour beyond disclosure) • Self-XSS (requires the victim to paste code into their own browser) • Clickjacking on pages without sensitive actions • Theoretical vulnerabilities without a working exploit • Reports of known vendor vulnerabilities in third-party software we use where no Varro-specific issue is demonstrated • Vulnerabilities in third-party services or infrastructure operated by Supabase, Stripe, TrueLayer, Anthropic, HMRC, Cloudflare, Vercel, or Resend — please report those directly to the relevant provider
Rules of engagement
By participating in research under this policy, you agree to: • Only test against your own account or accounts you are explicitly authorised to test • Never access, modify, or delete another user's data • Stop immediately if you gain access to data that is not your own and report it to us • Not perform any testing that could degrade service for other users • Not publicly disclose the vulnerability or details that would enable exploitation until we have had a reasonable opportunity to remediate (see Coordinated disclosure below) • Not retain, share, or publish any Varro user data, HMRC data, or bank data that you access in the course of testing • Comply with all applicable laws, including the Computer Misuse Act 1990 and UK data protection law
Safe harbour
Varro will not pursue legal action against researchers who: • Act in good faith • Comply with this policy, including the rules of engagement above • Report vulnerabilities promptly and only to [email protected] • Give us a reasonable opportunity to remediate before any public disclosure Safe harbour is limited to action by Varro. We cannot bind HMRC, TrueLayer, or any other third party, and you should be aware that testing that touches their systems may be outside the scope of this policy. If you are unsure whether a piece of research is in scope, please ask at [email protected] before proceeding.
Coordinated disclosure
We follow a 90-day coordinated-disclosure window measured from the date we acknowledge your report. Within that window we will triage, remediate, and deploy a fix. We will keep you informed of progress and will credit you in any advisory we publish unless you ask us not to. If a fix is not possible within 90 days, we will contact you to agree an extension. We will not use legal threats or contract terms to delay public disclosure of resolved issues.
What we do not offer
Varro does not operate a paid bug-bounty programme at this time. We offer the safe-harbour commitments above, public credit in our advisories (if desired), and our thanks. We may offer a token of appreciation at our discretion for high-impact reports but cannot guarantee this.
Contact
[email protected] — for vulnerability reports. [email protected] — for other enquiries. This policy is versioned alongside our machine-readable RFC 9116 file at /.well-known/security.txt.