Vulnerability Disclosure Policy

Last updated: 22 April 2026

Our commitment

Context Risk Advisory Limited takes the security of our services seriously. We welcome responsible disclosure from security researchers and the wider community. If you believe you have found a security vulnerability in any of our products or services — including CanaryCue — please report it to us as described below.

How to report

Send a report to security@contextrisk.ie with the following information:

A description of the vulnerability and the affected service or product.
Steps to reproduce the issue, including any proof-of-concept code or screenshots.
The potential impact, in your assessment.
Your name and contact details (optional, but helpful if we need to follow up).

Please encrypt sensitive reports using our PGP key if possible. Contact us first at the email above and we will provide the key.

What to expect

Acknowledgement: We will acknowledge your report within 72 hours.
Assessment: We will investigate and assess the severity within 10 business days.
Updates: We will keep you informed of progress and agree a disclosure timeline with you.
Remediation: Critical and high-severity vulnerabilities will be prioritised and patched without undue delay.

Regulatory notification

In accordance with the EU Cyber Resilience Act (Regulation 2024/2847), we will notify the Irish National Cyber Security Centre (NCSC) of any actively exploited vulnerability within the statutory 24-hour window. We will also notify affected customers as required by applicable law.

Responsible disclosure guidelines

We ask that researchers:

Do not access, modify, or delete data belonging to other users.
Do not perform denial-of-service attacks or disrupt production services.
Do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate it.
Act in good faith and in accordance with applicable law.

Researchers who act in accordance with these guidelines will not face legal action from us in relation to their disclosure.

Contact

Security disclosures: security@contextrisk.ie
General enquiries: info@contextrisk.ie