DonCapi™ Security Vulnerability Disclosure Policy

Effective date: 2026
Website: DonCapi.com
Brand: DonCapi™
Email: Ciao@DonCapi.com

This Security Vulnerability Disclosure Policy explains how security researchers, customers, developers and members of the public can responsibly report security vulnerabilities affecting DonCapi.com.

DonCapi™ takes website security, customer privacy, payment safety and account protection seriously.

We welcome responsible reports that help us keep DonCapi.com safe. However, this policy does not give permission for harmful, intrusive, unlawful or disruptive testing.

This policy should be read together with our Privacy Policy, Cookie Policy, Secure Shopping, Account & Customer Account Policy, Website Acceptable Use Policy, Data Protection Rights Request Policy, and Terms and Conditions.

1. Who We Are

DonCapi™
41 Norman Avenue
London
N22 5ES
United Kingdom

Email: Ciao@DonCapi.com
Website: DonCapi.com

In this policy, “DonCapi™”, “we”, “us” and “our” refer to DonCapi™. “You” and “your” refer to security researchers, customers, visitors, developers and anyone reporting a suspected vulnerability.

2. Purpose of This Policy

This policy explains:

  • how to report a security vulnerability;
  • what information to include;
  • what testing is not allowed;
  • how we may respond;
  • how personal data concerns are handled;
  • expectations around responsible disclosure;
  • limits of any permission given by this policy.

We want genuine security issues to be reported safely and responsibly.

3. Scope

This policy applies to suspected security vulnerabilities affecting:

  • DonCapi.com;
  • customer account features;
  • login and password reset systems;
  • checkout pages;
  • basket functionality;
  • contact forms;
  • review forms;
  • newsletter forms;
  • WooCommerce features;
  • WordPress-related security issues visible on DonCapi.com;
  • customer-facing DonCapi™ website systems;
  • exposed DonCapi™ data or misconfiguration;
  • official DonCapi™ subdomains, if any.

If a system is not clearly operated by DonCapi™, it may be outside scope.

4. Out of Scope

The following are usually outside the scope of this policy:

  • third-party websites not operated by DonCapi™;
  • payment provider systems;
  • PayPal, Stripe, Klarna, Apple Pay, Google Pay or similar provider systems;
  • courier tracking websites;
  • social media platforms;
  • plugin vendor websites;
  • hosting provider systems not controlled by DonCapi™;
  • email provider systems not controlled by DonCapi™;
  • vulnerabilities requiring stolen credentials;
  • vulnerabilities requiring physical access;
  • reports based only on outdated software guesses without evidence;
  • low-risk configuration preferences with no practical impact;
  • spam or phishing reports unrelated to DonCapi.com;
  • general best-practice suggestions without a vulnerability.

If a vulnerability affects a third-party provider, please report it to that provider through their own security process.

5. How to Report a Vulnerability

Send vulnerability reports to:

Ciao@DonCapi.com

Use the subject line:

Security Vulnerability Report – DonCapi.com

Please include enough detail for us to understand and reproduce the issue safely.

6. What to Include in Your Report

A helpful report should include:

  • your name or organisation, if you want to provide it;
  • contact email address;
  • affected URL or page;
  • type of vulnerability;
  • clear description of the issue;
  • steps to reproduce;
  • screenshots, if useful;
  • proof-of-concept details, if safe;
  • date and time discovered;
  • browser and device used;
  • whether any personal data may be affected;
  • whether the vulnerability has been disclosed to anyone else;
  • suggested fix, if known.

Please do not include unnecessary personal data, customer data, payment details, passwords or sensitive information.

7. Examples of Reportable Issues

Examples of security issues that may be worth reporting include:

  • unauthorised access to customer accounts;
  • authentication bypass;
  • privilege escalation;
  • exposed admin pages;
  • exposed sensitive files;
  • exposed database information;
  • exposed API keys or secrets;
  • cross-site scripting with practical impact;
  • SQL injection;
  • server misconfiguration exposing data;
  • insecure direct object references;
  • password reset weaknesses;
  • checkout security issues;
  • personal data exposure;
  • security headers missing where there is practical risk;
  • file upload vulnerabilities;
  • email or form abuse with security impact;
  • serious WordPress or WooCommerce misconfiguration affecting DonCapi.com.

8. Do Not Carry Out Harmful Testing

You must not conduct testing that harms DonCapi™, customers, suppliers, payment systems, website availability or personal data.

You must not:

  • access, copy, change or delete customer data;
  • access another customer’s account;
  • attempt payment fraud;
  • test with stolen payment details;
  • perform denial-of-service attacks;
  • run destructive scans;
  • upload malware;
  • install backdoors;
  • exfiltrate data;
  • attempt privilege escalation beyond proof needed;
  • modify website content;
  • disrupt checkout;
  • disrupt orders;
  • disrupt emails;
  • disrupt hosting;
  • use social engineering;
  • phish staff or customers;
  • physically attack systems or premises;
  • access admin systems without permission;
  • publicly disclose the vulnerability before we have reviewed it.

This policy is not permission to break the law or cause harm.

9. Testing Limits

If you believe you have found a vulnerability, stop as soon as you have enough evidence to report it safely.

You should:

  • use your own account where possible;
  • avoid accessing other users’ data;
  • avoid changing system data;
  • avoid large-scale scanning;
  • avoid brute forcing;
  • avoid service disruption;
  • avoid repeated exploit attempts;
  • avoid public disclosure before resolution;
  • provide safe reproduction steps instead.

Keep testing minimal and proportionate.

10. Personal Data

If you accidentally access personal data while investigating a vulnerability, you must:

  • stop testing immediately;
  • not copy the data;
  • not save the data;
  • not share the data;
  • not publish the data;
  • not contact affected customers;
  • tell DonCapi™ what happened;
  • securely delete anything accidentally collected, unless we ask you to preserve evidence in a safe way.

Personal data may include:

  • names;
  • email addresses;
  • billing addresses;
  • delivery addresses;
  • order details;
  • phone numbers;
  • account information;
  • payment-related information;
  • support messages;
  • IP addresses;
  • tracking details.

Personal data is handled under our Privacy Policy.

11. Payment Data

Do not attempt to access, test, copy, intercept or manipulate real payment card data.

Do not test payment systems using stolen, fake or unauthorised card details.

Payment providers may operate their own security and vulnerability reporting processes. Issues affecting payment providers should be reported to the provider where appropriate.

If you discover a DonCapi.com checkout issue that may affect payment safety, report it without exploiting it further.

12. No Bug Bounty

DonCapi™ does not currently operate a paid bug bounty programme.

Submitting a report does not create a right to payment, reward, gift card, discount, employment, partnership or public recognition.

We may choose to thank or credit reporters at our discretion, but we do not guarantee this.

13. Responsible Disclosure

We ask reporters to follow responsible disclosure principles.

This means:

  • report the issue privately to DonCapi™;
  • give us reasonable time to review and fix it;
  • do not publish technical details before resolution;
  • do not share exploit code publicly;
  • do not use the vulnerability for personal advantage;
  • do not threaten disclosure to demand payment;
  • do not disclose customer data.

If you want to publish research after resolution, contact us first.

14. Public Disclosure

Please do not publicly disclose a vulnerability until DonCapi™ has confirmed that the issue has been resolved or that disclosure is acceptable.

Unauthorised early disclosure may put customers, accounts, orders and website security at risk.

We may ask for more time where a fix requires supplier, plugin, hosting, payment or third-party support.

15. Our Response Process

When we receive a report, we may:

  1. acknowledge receipt where possible;
  2. review the information;
  3. ask for clarification if needed;
  4. assess severity and impact;
  5. reproduce the issue where safe;
  6. prioritise fixes;
  7. involve hosting, plugin, payment or technical providers if needed;
  8. take steps to protect customers;
  9. investigate whether personal data was affected;
  10. update the reporter where appropriate.

Response times may vary depending on the severity, evidence provided and technical complexity.

16. Severity Assessment

We may consider the following when assessing severity:

  • whether personal data is exposed;
  • whether payment safety is affected;
  • whether customer accounts are at risk;
  • whether admin access is possible;
  • whether exploit requires login;
  • whether exploit is easy or difficult;
  • whether the issue is already public;
  • whether automated exploitation is possible;
  • whether orders, refunds or checkout can be manipulated;
  • whether the issue affects website availability.

Higher-risk reports will be prioritised.

17. Personal Data Breaches

If a vulnerability report suggests that personal data may have been breached, DonCapi™ will assess the issue in line with applicable data protection law.

This may involve:

  • containing the issue;
  • assessing the risk to individuals;
  • preserving evidence;
  • reviewing logs;
  • contacting technical providers;
  • notifying affected individuals where required;
  • reporting to the ICO where required;
  • improving controls.

The ICO explains that notifiable personal data breaches must be reported without undue delay and generally within 72 hours of becoming aware.

18. Safe Harbour Limits

DonCapi™ appreciates good-faith vulnerability reports.

However, this policy does not give unlimited permission for security testing.

Any safe harbour or goodwill under this policy applies only where you:

  • act in good faith;
  • follow this policy;
  • avoid harm;
  • avoid privacy violations;
  • avoid service disruption;
  • report promptly;
  • do not exploit the issue;
  • do not demand payment;
  • do not publicly disclose before resolution;
  • comply with applicable law.

We may still take action where testing is harmful, unlawful, abusive, extortionate or outside this policy.

19. Prohibited Conduct

The following conduct is not protected by this policy:

  • extortion;
  • threats;
  • blackmail;
  • selling vulnerabilities;
  • demanding payment for non-disclosure;
  • data theft;
  • customer account access;
  • malware use;
  • denial-of-service activity;
  • destructive testing;
  • social engineering;
  • phishing;
  • physical attacks;
  • unauthorised access to admin systems;
  • publishing customer data;
  • fraud;
  • payment manipulation;
  • repeated testing after being asked to stop.

20. Confidentiality

Vulnerability reports and related communications may contain sensitive security information.

You should treat vulnerability details as confidential until the issue has been resolved and DonCapi™ agrees that disclosure is acceptable.

DonCapi™ may also keep report details confidential to protect customers and systems.

21. Credit and Recognition

If you want public credit for a valid report, say so in your report.

We may choose to provide recognition, but this is not guaranteed.

We may refuse public credit where:

  • the report was low quality;
  • the issue was already known;
  • the report breached this policy;
  • disclosure could create risk;
  • personal data was mishandled;
  • the reporter acted abusively or unlawfully.

22. Duplicate Reports

If multiple people report the same issue, we may treat later reports as duplicates.

We may not respond in detail to duplicate, vague, automated or low-impact reports.

23. False Positives and Low-Impact Reports

Some reports may not be treated as vulnerabilities.

Examples may include:

  • missing headers with no practical risk;
  • outdated software claims without evidence;
  • rate limiting suggestions without exploit;
  • clickjacking where no sensitive action is possible;
  • public information exposure;
  • email configuration issues with no impact;
  • generic scan output;
  • theoretical vulnerabilities with no practical path;
  • reports affecting third-party systems only.

We may still review these, but they may be lower priority.

24. Vulnerabilities in WordPress Plugins or Themes

If the issue relates to a WordPress plugin, WooCommerce extension, theme or third-party service, DonCapi™ may need to involve the vendor or provider.

Where appropriate, the vulnerability may also need to be reported to the plugin/theme developer or platform owner.

Do not publicly disclose plugin-specific vulnerabilities in a way that creates risk for DonCapi™ or other websites.

25. Vulnerabilities in Third-Party Services

If a vulnerability affects a third-party service rather than DonCapi.com, report it to the third party.

This may include:

  • payment providers;
  • courier platforms;
  • email providers;
  • hosting providers;
  • analytics platforms;
  • advertising platforms;
  • social media platforms;
  • review platforms.

DonCapi™ may not be able to fix vulnerabilities in systems it does not control.

26. Security Contact

Security reports should be sent to:

Ciao@DonCapi.com

Subject line:

Security Vulnerability Report – DonCapi.com

Please do not send vulnerability reports through social media comments, public reviews or public posts.

27. Customer Security Concerns

Customers who believe their DonCapi™ account, order or personal information may be affected should contact:

Ciao@DonCapi.com

Please include:

  • account email address;
  • order number, if relevant;
  • description of concern;
  • screenshots, if helpful;
  • date noticed.

Do not send passwords or full payment card details.

28. Changes to This Policy

We may update this Security Vulnerability Disclosure Policy from time to time.

Changes may be made because of:

  • website changes;
  • new features;
  • new account systems;
  • new payment systems;
  • new suppliers;
  • security improvements;
  • legal updates;
  • updated cyber guidance;
  • operational needs.

The latest version will be posted on DonCapi.com.

29. Related Pages

You may also wish to read:

  • Privacy Policy;
  • Cookie Policy;
  • Secure Shopping;
  • Website Acceptable Use Policy;
  • Account & Customer Account Policy;
  • Data Protection Rights Request Policy;
  • Terms and Conditions;
  • Complaints Policy.

30. Contact DonCapi™

For vulnerability reports or security concerns, contact:

DonCapi™
41 Norman Avenue
London
N22 5ES
United Kingdom

Email: Ciao@DonCapi.com
Website: DonCapi.com

Subject line:

Security Vulnerability Report – DonCapi.com

31. Brand Notice

DonCapi™ is a premium clothing and lifestyle brand. Any Italian-inspired, cinematic, luxury, old-world or characterful brand theme used on DonCapi.com is for lawful fashion branding and creative style only.

DonCapi™ does not promote unlawful activity, violence, intimidation, organised crime, harassment, exploitation or illegal conduct.

32. Copyright Notice

© 2026 – DonCapi™ – All rights reserved.

Scroll To Top
Close
Add your navigation menu here
Close
shop
0 Wishlist
0 Cart
Close

My Cart

Shopping cart is empty!

Continue Shopping