Home > Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Last updated: 15/07/2026

This policy gives security researchers a clear way to report a potential security vulnerability in Micron21's services and infrastructure, and explains what we will do when you report one.

About this policy

The security of our platform is central to what we do, and we take every care to keep our systems secure. Even so, vulnerabilities can exist. If you believe you have found one, we want to hear from you. This policy explains how to tell us safely.

We value the work of the security research community. Research conducted in good faith under this policy is welcome, and Micron21 will not pursue or support legal action against researchers who comply with it.

What this policy covers

You can report vulnerabilities in the internet-facing services and infrastructure that Micron21 operates, including:

  • the mCloud Portal and mCloud API
  • Micron21 login and authentication services
  • our public websites https://micron21.com/

This policy does not cover:

  • websites, applications or content owned by our customers and hosted on Micron21 infrastructure. Please report these to the relevant owner
  • third-party services that we link to but do not operate
  • social engineering or phishing of Micron21 staff or customers, physical attacks, and any form of denial-of-service testing.

How to report a vulnerability

Email us at abuse@micron21.com with as much of the following as you can:

  • the system, service or URL affected
  • steps to reproduce what you found
  • what you believe the impact could be
  • any supporting material, such as screenshots or proof-of-concept detail.

If your report contains sensitive information, you can send that information to us securely using our Escrow service: https://escrow.micron21.com/.

You can find this policy and our reporting contact from any of our domains at /.well-known/security.txt.

When researching, please act carefully: don't access, change or download data beyond the minimum needed to demonstrate the issue, stop immediately if you encounter someone else's data, and keep any scanning to non-disruptive volumes.

Vulnerability disclosure contact

Email: abuse@micron21.com

Reports go directly to Micron21's security team. Please don't raise vulnerability reports through our general support channels: using the security contact keeps your report with the right people and keeps details confidential.

What happens next

  • Within 3 business days: we will acknowledge that we've received your report.
  • Within 10 business days of acknowledgement: we will assess severity, confirm whether the vulnerability is valid, and tell you what we found.
  • At least every 20 business days: we will keep you updated on our progress until the issue is resolved.

Confirmed vulnerabilities are fixed under our internal severity-based service levels and tracked through to closure. Where the issue is in software we develop, we investigate the root cause so the fix addresses the class of problem, not just the instance you found.

We ask that you don't publicly disclose a vulnerability until we've confirmed it is resolved or 90 days have passed since your report, whichever comes first, unless we've agreed a different timeline with you.

Sign up for the Micron21 Newsletter