Report Security Issues

Report Security Issues (Toyz For All)

Last updated: 01 January 2026

If you believe you have found a security vulnerability on toyzforall.co.uk (the “Website”), we appreciate your help in disclosing it responsibly.

How to report

Please email your report to: contact@toyzforall.co.uk
Subject line suggestion: Security Report – [short title]

Include (if possible):

  • A clear description of the issue

  • The page/URL(s) affected

  • Steps to reproduce (safe and non-destructive)

  • Any screenshots/logs that help us understand the issue

  • Your contact details for follow-up

Please do not publicly disclose details until we have had a reasonable time to investigate and fix the issue.

Responsible Disclosure Principles (“Safe Harbour”)

If you follow the rules below when reporting a security issue to Toyz For All, we will not initiate legal action against you for your report:

  1. Give us reasonable time to investigate and repair the issue before making any public disclosure.

  2. Do not access or modify private data (including customer accounts, orders, payment details, or admin areas) without explicit permission.

  3. Act in good faith to avoid privacy violations and disruption to others (including avoiding service interruption or degradation).

  4. Do not exploit any security issue you discover (including attempts to escalate access, extract data, or test beyond what’s necessary to confirm the vulnerability).

  5. Comply with applicable laws and regulations.

Scope

This policy applies to vulnerabilities discovered on:

  • toyzforall.co.uk and its subdomains (where applicable)

Out of scope (examples):

  • Physical security issues

  • Social engineering of staff/customers

  • Denial-of-service (DoS/DDoS) testing

  • Spam or issues requiring third-party access we do not control

Bounty Program (Optional)

Toyz For All may recognise and reward security researchers who help keep users safe by reporting valid vulnerabilities.

  • Any bounty is entirely discretionary and based on factors such as risk, impact, and report quality.

  • We may prioritise reports based on severity and the number of reports received.

  • We reserve the right to publish a summary of fixed vulnerabilities (without sensitive details).

Eligibility (to be considered)

  1. Follow the Responsible Disclosure Principles above.

  2. Report a genuine security/privacy risk affecting our services.

  3. Submit the report via contact@toyzforall.co.uk (please do not contact staff personally).

  4. If you accidentally accessed data or caused disruption, disclose it immediately in your report.

Reward Guidelines (maximum amounts)

These amounts are guidelines only; actual rewards are at our discretion.

Critical severity (up to £200)
Examples: privilege escalation to admin, remote code execution, financial theft, authentication bypass leading to full account access, SQL injection exposing sensitive data.

High severity (up to £100)
Examples: significant information disclosure, lateral authentication bypass, stored XSS impacting other users, insecure authentication cookie handling, local file inclusion.

Medium severity (up to £50)
Examples: vulnerabilities affecting multiple users with low interaction required, IDOR (insecure direct object reference), important logic flaws.

Low severity
Examples: open redirects, reflective XSS with significant prerequisites, low-sensitivity information leaks.

Contact

Toyz For All
Address: Unit 1, Whitefriars Business Centre, High St, Lincoln LN5 7DQ, United Kingdom
Telephone: +44 1513471884
Email: contact@toyzforall.co.uk