Skip to content

Responsible Disclosure Policy

This policy is intended to give guidance for submitting potential vulnerabilities discovered on Moonpig Group's website, mobile apps or other resources.

Following the responsible disclosure process allows us to take steps to address any vulnerabilities, thereby protecting our customers and systems.

We value those who take the time and effort to report security vulnerabilities according to this policy. However, we are currently unable to offer financial incentives or gifts for raising vulnerability disclosures.

 The scope of this policy includes:

  • *.moonpig.com

  • *.moonpig.net

  • *.moonpig.io

  • *.moonpiggroup.com

  • *.moonpig.group

When disclosing a vulnerability, we ask that you:

  • Email your findings to [email protected] (including a description of the problem, what the problem affects and any necessary reproduction steps).

  • Don’t access unnecessary, excessive or significant amounts of data. 

  • Only use your own Moonpig account(s) for any proof of concepts.

  • Don’t tell anyone else about the problem until we’ve responded, addressed (and if appropriate) contacted any affected users.

  • Don’t run any automated tools against our website (examples include, but are not limited to, Nikto, Burp scanner, Nessus, etc).

  • Don’t target our physical security, perform any social engineering, denial of service, spam or target applications of third parties, or otherwise break any laws.

What you can expect from us:

  • We’ll respond to you within 3 business days acknowledging your disclosure.

  • We’ll keep you up-to-date as we investigate and address your disclosure.

  • Prioritisation for remediation considers the impact, severity and complexity of the vulnerability. Given this, please understand that it may take some time for a fix to be implemented.