Last Updated: October 21, 2025

1. Introduction

Thank you for taking the time to improve the security of Adqvest Capital’s products, services, and systems. We believe in the importance of maintaining a safe and secure environment for our users and customers. We appreciate the efforts of security researchers and ethical hackers who responsibly disclose any potential security vulnerabilities they find.

1.1 Purpose

The purpose of this policy is to provide clear guidelines for security researchers and ethical hackers to report potential vulnerabilities or security issues discovered in Adqvest Capital’s products, services, or systems in a responsible manner.

1.2 Scope

This policy is applicable to all products, services, applications, websites, and systems owned or operated by Adqvest Capital. Any potential security vulnerability or issue related to the aforementioned assets is eligible for submission under this policy.

1.3 Audience

This policy is addressed to all security researchers, both external and internal, and internal personnel for reporting security violations by staff, done with or without intention.

2. Guidelines for responsible disclosure

Security researchers and ethical hackers are encouraged to act in good faith and make every effort to avoid privacy violations, data breaches, destruction of data, and interruption or degradation of services. Upon discovering a security vulnerability or incident related to our products, services, websites, or systems, we recommend the following guidelines for reporting the issue.

2.1 Do’s

• Do provide us with a detailed description of the vulnerability or incident, including the steps to reproduce it, if applicable
• Do share your contact information so that we can communicate with you regarding the disclosure process and any updates related to the reported issue
• Do act in good faith and make a reasonable effort to avoid privacy violations, data destruction, and interruption or degradation of our services during your research
• Do allow us a reasonable amount of time to investigate and address the reported issue before public disclosure
• Only test for vulnerabilities on systems or assets you own or have explicit permission to test. Unauthorized access or any activity that violates the law is strictly prohibited and may result in legal action

2.2 Dont’s

• Don’t exploit any discovered security vulnerabilities beyond what is necessary to demonstrate the issue
• Don’t disclose the issue to any third parties before we have had an opportunity to investigate and address it (OR)
• Don’t disclose or share the details of any identified vulnerabilities or issues with third parties before receiving explicit written consent from Adqvest Capital (OR)
• Don’t disclose the issue to any third parties before a mutually agreed upon time period expires
• Don’t act in ways that may harm Adqvest Capital or its customers intentionally or unintentionally

3. Reporting vulnerabilities

The following sections describe what can be reported as vulnerabilities and the methods and channels of reporting them.

3.1 What to report

We appreciate reports related to potential security vulnerabilities, including but not limited to:

• Software Bugs and Flaws
• Weak Authentication and Passwords
• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Security Misconfigurations
• Outdated Software and Patch Management
• Sensitive Data Exposure
• Insecure Direct Object References (IDOR)
• Remote Code Execution (RCE)
• Denial of Service (DoS) and Distributed Denial of Service (DDoS)
• Phishing and Social Engineering
• Unencrypted Communications
• Insecure File Uploads
• Insufficient Logging and Monitoring
• Buffer Overflow
• Clickjacking
• Information Disclosure

3.2 How to report

Please submit your findings via email to Security@Thurro.com. Your report should include the following details:

•  A detailed description of the vulnerability or issue, including its potential impact
• The steps taken to reproduce the vulnerability, including any necessary proof-of-concept (POC) code or screenshots
• Use a clear subject line that includes “Security Vulnerability Report” or “Security Incident Report”
• Your contact information (name and email address) for communication purposes

4. Response and communication

Upon receiving your report, we will acknowledge receipt within 5 business days. Our security team will review and validate the findings internally. We will strive to keep you informed of our progress and any actions taken during the resolution process

4.1 Non-disclosure

Adqvest Capital commits to maintaining the confidentiality of your personal information and will not share your details with third parties without your explicit consent unless required by law.

4.2 Resolution and recognition

If your report is valid and leads to a fix, Adqvest Capital may, at its discretion, acknowledge your contribution on our website or through other appropriate channels. We believe in recognising the efforts of security researchers who responsibly disclose vulnerabilities to us.

5. Legal safe harbour

Adqvest Capital will not pursue legal action against security researchers or ethical hackers who report potential security vulnerabilities in accordance with this policy.

6. Policy review and revision

This Policy will be reviewed annually to ensure its effectiveness and relevance. Any necessary updates will be made to address changes in the organisation’s structure, operations, or regulatory environment.

7. Contact information

If you have any questions or need further assistance, please contact us at security@Thurro.com

8. A word of thanks from Adqvest Capital

By reporting security vulnerabilities responsibly, you contribute to the safety and security of our organization and its users. We value your efforts and thank you for helping us maintain a secure environment.