Skip to main content

Security

Vulnerability Disclosure Policy

We appreciate responsible security research. If you believe you have found a security vulnerability in an INWOOD Furniture website or public service, please tell us so we can investigate and improve it.

Last updated: 15 July 2026

How to report

Email your report to inwoodfurniture@hotmail.com with “Security report” in the subject line. Please include:

  • The affected URL, endpoint, or component.
  • Clear steps to reproduce the issue and the expected versus actual result.
  • The potential security impact and any conditions needed for exploitation.
  • Relevant screenshots, request details, or a minimal proof of concept.
  • A safe way for us to contact you with follow-up questions.

Responsible testing

Please make a good-faith effort to avoid privacy violations, service disruption, and damage to data. Use test accounts where possible, stop testing if you encounter another person’s data, and do not download, change, or retain more information than is necessary to demonstrate the issue.

Do not:

  • Perform denial-of-service, spam, brute-force, or high-volume automated testing.
  • Use social engineering, phishing, physical attacks, or attacks against our staff or customers.
  • Access, copy, delete, or modify data belonging to other people.
  • Publish details of an unresolved vulnerability before we have had a reasonable opportunity to respond.

Scope

This policy covers public websites and services operated by INWOOD Furniture, including inwoodfurniture.co.nz and its public endpoints.

Third-party services such as Cloudflare, Resend, Google, social platforms, and hosting or payment providers are outside our control. Please report vulnerabilities in those services to the relevant provider as well, and do not test another provider through our systems without permission.

What happens next

We aim to acknowledge reports within five business days. We will assess the report, investigate the impact, and may contact you for additional information. Remediation time depends on severity, complexity, and the involvement of third-party services.

We do not currently offer a bug bounty or guarantee payment for reports. We may publicly acknowledge a researcher only with their permission.

Good-faith safe harbour

We will not pursue legal action against security researchers for good-faith activity that follows this policy, complies with applicable law, and avoids harm to people, privacy, and services. This does not authorise testing of third-party systems or protect activity that falls outside these guidelines.