Report a security concern

Use this form to tell us about a suspected security vulnerability in any Thrive product or service — for example a way to access data you shouldn't be able to see, a way to do something on the service you shouldn't be allowed to do, or unsafe handling of personal information.

What this form is for:

In scope:

- Anything that lets someone access information they shouldn't have access to

- Anything that lets someone perform actions they shouldn't be able to perform

- Sensitive information being exposed (data leaks, exposed credentials, secrets in source)

- Anything else you reasonably believe puts Thrive customers, their data, or their buildings at risk

Not in scope here (please use a different channel):

- Customer support questions, billing, or feature requests → contact your usual Thrive support email.

- Reports about issues in third-party services we use (e.g. Microsoft 365, Cloudflare) → please report directly to that vendor.

- General feedback or bug reports that aren't security-relevant → contact support.

What to include in your report

The more of the following you can give us, the faster we can triage:

- What you observed — a clear description of the issue.

- Where you observed it — the page, screen, or part of the service.

- How to reproduce it — step-by-step, including any specific input values.

- What an attacker could achieve — your view of the impact (data exposure, account takeover, denial of service, etc.).

- When you found it — date and approximate time, and whether you've seen it more than once.

- Your environment — browser and version, OS, device if relevant.

- Supporting evidence — screenshots, log snippets, video. Please redact any personal data from these.

A partial report is still welcome — don't let missing detail stop you from submitting.

Our commitment

Researchers acting in good faith under this process — following the rules below — will not be subject to legal action by Thrive for their report.

Please follow these rules while researching

- Don't access, modify, copy, or delete data that isn't yours. If you can demonstrate impact using a single test account you control, please stop there — pivoting further is not authorised.

- Don't degrade or disrupt our services. No denial-of-service testing, no automated scanning that generates significant load, no social-engineering attempts against our staff or customers.

- Don't share details publicly (blog posts, social media, mailing lists, conference talks) until we've had a reasonable opportunity to investigate and remediate.

- Use only your own accounts and your own data when reproducing the issue.

If the issue is critical or being actively exploited

Submit this form and email security@thrive-ai.co.uk so we can prioritise.

---

By submitting this form you confirm you've read the above and that your report is made in good faith.