1. Scope#
- boundless.tel and all subdomains
- The Boundless mobile app (iOS/Android)
- Public APIs at api.boundless.tel
2. How to report#
Email security@boundless.tel with steps to reproduce. Encrypt with our PGP key (link from the same address). We acknowledge within 1 working day, triage within 5, and patch on a severity-based SLA (Critical: 7d, High: 14d, Medium: 30d, Low: next release).
3. Safe-harbour#
Good-faith research within scope is authorised by us and we will not pursue legal action under the Computer Misuse Act 1990 or otherwise. Don't access more data than necessary. Don't degrade services. Don't share findings publicly until we've patched, or until 90 days have elapsed since report.
4. Recognition#
We publish a hall of fame for accepted reports (with your permission). We don't currently pay bug bounties, but we will provide a written reference.
5. Review & ownership#
Owner: CISO. Reviewed annually. Aligned with NCSC CAF v3.2 and ISO 27001:2022 control A.5.7.
Version history
| Version | Date | Change |
|---|---|---|
| v1.0 | 22 April 2026 | Initial publication. |
This document is published by Boundless Telecom Ltd and forms part of our public legal posture. It is a living document - we update it as the regulatory environment, our supply chain or our products change. If anything here is unclear or you'd like a counter-signed copy, contact legal@boundless.tel and we'll respond within one working day.