Security.
How the institution protects the confidentiality of principals, the integrity of its systems and its published record, and how researchers may disclose a suspected vulnerability.
Confidentiality
Information shared with the institution in the course of engagement is held under strict controls. Access is limited to personnel with a need to know within the relevant engagement team. Confidential engagement information is not used in published research otherwise than in anonymised, aggregated form.
Systems
The institution operates on managed infrastructure with encrypted transport, encrypted storage of engagement information, role-based access control, single sign-on for personnel where appropriate, and continuous logging. Backups are held encrypted, in a separate region from primary systems.
Payments
Payments are processed by an accredited payment services provider under the Payment Card Industry Data Security Standard. The institution does not store payment card numbers.
Vulnerability disclosure
The institution welcomes responsible disclosure of suspected security vulnerabilities in this website and its systems. Please report to security@luxuryhotelbrokers.com. Where possible, please include a description of the issue, steps to reproduce, and any proof-of-concept material. A PGP key is available on request.
Our undertakings
We acknowledge reports within five working days and provide a substantive response as quickly as reasonably possible. We do not pursue researchers who act in good faith under this disclosure policy, who avoid privacy violations, service disruption and destruction of data, and who allow reasonable time for remediation before public disclosure.
Out of scope
Denial-of-service attacks, social engineering of personnel, physical attacks and testing against third-party services on which the institution relies are out of scope of this disclosure policy.
Machine-readable contact
A machine-readable security contact is published at /.well-known/security.txt in accordance with RFC 9116.