Security
Vulnerability Management Policy
How Finpliq identifies, triages, fixes and records security weaknesses.
- Owner
- Security & Engineering
- Effective from
- 8 July 2026
- Last reviewed
- 8 July 2026
- Review cycle
- Annual or following material change
At a glance
Security findings should be logged, prioritised and remediated based on risk.
Responsible disclosure reports are welcomed through the published disclosure route.
Full policy
Sources include dependency alerts, code review, internal testing, responsible disclosure, security scans and operational incidents.
Findings are prioritised using likelihood, impact, data sensitivity, exploitability and whether customer or HMRC-related data is affected.
Critical issues require immediate triage and mitigation. Lower-risk items should be scheduled into the release backlog with accountability.
Vulnerability fixes must be regression-tested against authentication, tenant isolation and filing workflows.