Security & Responsible Disclosure

How to report a security vulnerability or incident to Filssi.

Effective date: 16 May 2026  ·  Creator Business OS Ltd

Report a Security Issue

If you believe you have found a security vulnerability, misconfiguration, or data exposure in any Filssi system, please contact our security team immediately. We aim to respond to all reports within 24 hours.

🔒

Security Team

Email us directly at our dedicated security address. Please include as much detail as possible — steps to reproduce, affected endpoints, and the potential impact.

For general product support queries, please use support@filssi.com instead. The security address is monitored exclusively for security and vulnerability reports.

Our Response Commitments

We take all security reports seriously. When you report a vulnerability to us, you can expect:

24h
Initial acknowledgement
5 days
Severity assessment & triage
30 days
Target fix for critical issues
90 days
Target fix for medium issues

We will keep you informed of our progress throughout the process. Once a fix is deployed, we are happy to discuss public disclosure timing with you.

What to Include in Your Report

A detailed report helps us triage and fix issues faster. Please include where possible:

  • A clear description of the vulnerability and its potential impact
  • The URL, endpoint, or component affected
  • Step-by-step reproduction instructions
  • Any proof-of-concept code, screenshots, or HTTP request/response examples
  • The type of vulnerability (e.g. XSS, CSRF, authentication bypass, data exposure)
  • Whether you believe any data was accessed or exfiltrated

Responsible Disclosure Guidelines

We ask researchers and reporters to follow these guidelines:

  • Do not access, modify, or delete data belonging to other users or companies
  • Do not perform denial-of-service attacks or disrupt our services
  • Do not share details publicly until we have had a reasonable opportunity to investigate and remediate
  • Use a test account or your own account for any testing — never use another user's credentials
  • Report the issue as soon as possible after discovery

Important: Testing that involves accessing real customer data, running automated scanners at scale, or attempting to compromise our infrastructure goes beyond responsible disclosure and may have legal consequences.

We will not take legal action against researchers who discover and report security issues in good faith and in accordance with these guidelines.

Scope

In Scope

  • The Filssi web application at filssi.com and any subdomains (e.g. ap.filssi.com)
  • Authentication and session management
  • Data access controls and multi-tenant isolation
  • API endpoints and HMRC integration flows
  • File upload and processing pipelines

Out of Scope

  • Third-party services we rely on (Stripe, Resend, Neon, HMRC APIs) — please report these to the respective vendors
  • Social engineering or phishing attacks against our staff
  • Physical security
  • Clickjacking on pages without sensitive actions
  • Missing HTTP headers that do not directly lead to a vulnerability
  • Self-XSS (where the attack can only affect the attacker's own session)

What Happens After You Report

  1. We acknowledge receipt of your report within 24 hours
  2. Our security team assesses severity using the CVSS framework
  3. We investigate, reproduce, and develop a fix
  4. We deploy the fix and verify it resolves the issue
  5. We notify you and agree on a public disclosure timeline if applicable

We credit researchers in our security acknowledgements (with your permission) once the issue has been resolved.

Regulatory & Data Breach Obligations

Creator Business OS Ltd has a documented internal process for responding to security breaches involving personal or customer data. This covers two mandatory regulatory notifications, both within 72 hours of becoming aware of the incident:

1. HMRC Notification

Any breach involving data transmitted to or received from HMRC (including Making Tax Digital VAT, Corporation Tax, or PAYE/RTI data) must be reported to HMRC immediately by logging a support ticket via the HMRC Developer Hub. The ticket must include:

  • A description of the nature of the breach and the data affected
  • The name and direct telephone number of the designated breach contact at Creator Business OS Ltd
  • The date and time the breach was discovered
  • Immediate steps taken to contain or remediate the incident

This notification must be completed within 72 hours of becoming aware of the breach, regardless of whether full information is yet available. Incomplete reports may be submitted and updated as further information becomes known.

2. ICO Notification

As a UK GDPR-regulated data processor, Creator Business OS Ltd is obligated to notify the Information Commissioner's Office (ICO) of personal data breaches that meet the reporting threshold within 72 hours of becoming aware of them, and to notify affected customers without undue delay.

Internal Escalation Process

  1. Breach or suspected breach is identified and reported to support@filssi.com with subject line "URGENT: Possible Breach"
  2. Immediate containment measures are taken (e.g. revoking tokens, isolating affected accounts)
  3. Assessment of severity, scope, and data categories affected
  4. HMRC notified via Developer Hub ticket within 72 hours
  5. ICO notified via the ICO online reporting tool within 72 hours if a reportable breach
  6. Affected customers notified without undue delay
  7. Post-incident review and remediation

Our full data protection obligations are described in our Privacy Policy and Data Processing Agreement. Filssi transmits taxpayer data to HMRC solely under the regulatory authority provided by HMRC's Making Tax Digital programme and does not use it for any other purpose.

Related Documents