ACE Learning Trust
This policy applies to ACE Learning Trust and its academies:
- ACE Learning Trust – ace-learning.org.uk
- Furley Park Primary Academy – furleypark.org.uk
- Hamstreet Primary Academy – ham-street.org.uk
Purpose
ACE Learning Trust is committed to maintaining the security, availability, and integrity of its digital systems, and to protecting the personal data of pupils, staff, and the wider school community.
We welcome responsible reports of genuine security vulnerabilities so that they can be investigated and addressed appropriately.
How to report a security concern
If you believe you have identified a security vulnerability affecting one of our websites or systems, please report it by email to:
When reporting an issue, please include:
- The website or system affected
- A clear description of the issue
- Steps to reproduce the issue, if possible
- Any relevant screenshots or evidence
Scope
This policy applies to:
- Websites and web-based systems owned or operated by ACE Learning Trust and its academies
- Public-facing services hosted under Trust or school domains
This policy does not apply to:
- Third-party services or platforms used by the Trust (for example, externally hosted learning platforms, payment systems, or cloud services), unless explicitly stated
Responsible disclosure expectations
We ask that anyone reporting a security issue acts responsibly and in good faith.
You must:
- Avoid accessing, modifying, or downloading personal or sensitive data
- Avoid actions that could disrupt services or impact users
- Stop testing immediately once a vulnerability is identified
- Allow reasonable time for investigation and remediation
Please do not:
- Attempt to exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Perform denial-of-service (DoS or DDoS) testing
- Carry out social engineering, phishing, or physical security testing
- Use automated scanning or attack tools against live systems
- Share or publish details of vulnerabilities before they are resolved
Safe harbour
If you follow this policy in good faith and report vulnerabilities responsibly, ACE Learning Trust will not pursue legal action in relation to the activities undertaken to identify and report the issue.
This does not permit:
- Unauthorised access to data
- Actions that breach safeguarding, data protection, or criminal law
- Testing that causes disruption or harm
Safeguarding and legal context
ACE Learning Trust operates within an education and safeguarding environment. Unauthorised access to systems or data, particularly where pupil or staff information is involved, may be unlawful and could place individuals at risk.
This policy does not grant permission to bypass authentication, access restricted information, or test systems beyond what is necessary to identify and report a vulnerability.
Our commitment
Where a report is made responsibly and in line with this policy, ACE Learning Trust commits to:
- Acknowledge receipt of the report within 5 working days
- Investigate the issue promptly
- Take appropriate action to remediate confirmed vulnerabilities
ACE Learning Trust does not operate a bug bounty or reward scheme.
Updates
This policy may be reviewed and updated periodically to reflect changes in systems, guidance, or regulatory expectations.