Vulnerability Disclosure Program
1. Purpose
CEYO encourages responsible security research and coordinated vulnerability disclosure. Security researchers play an important role in improving the resilience, safety, and reliability of modern software infrastructure.
This Vulnerability Disclosure Program explains how security researchers may report potential vulnerabilities affecting CEYO-controlled public systems, what activities are permitted during good-faith research, and how CEYO coordinates investigation and remediation.
2. Scope
This program applies to CEYO-controlled public systems and public-facing website infrastructure.
In scope may include:
• CEYO public website pages and application components
• public-facing interfaces or endpoints controlled by CEYO
• security issues affecting confidentiality, integrity, or availability of CEYO-controlled public systems
Out of scope includes:
• third-party services, vendors, or hosting providers not controlled by CEYO
• denial-of-service or load testing
• credential stuffing or brute-force testing
• social engineering, phishing, or physical security testing
• accessing or attempting to access accounts, systems, or data you do not own or control
3. How to report a vulnerability
Security researchers who discover a potential vulnerability should report it through the CEYO contact page.
Reports should include as much of the following as possible:
• description of the vulnerability
• affected page, component, or system
• reproduction steps
• proof of concept where safe and appropriate
• expected impact
• any supporting screenshots, logs, or technical context
4. Researcher guidelines
Security research conducted under this program must adhere to the following expectations:
• test only within the scope of this policy
• avoid privacy violations or exposure of data
• do not exfiltrate, alter, delete, or retain data that is not yours
• avoid actions that degrade service performance or availability
• do not establish persistence or maintain unauthorized access
• stop testing once the issue is confirmed
• report the issue promptly after discovery
5. Safe harbor
CEYO supports good-faith security research conducted in accordance with this policy.
CEYO does not intend to pursue legal action against researchers who:
• act in good faith to identify security vulnerabilities
• follow the boundaries and expectations described in this policy
• avoid privacy violations, service disruption, or data exfiltration
• report vulnerabilities promptly and privately
Activities that violate applicable law, exceed the boundaries of this program, or intentionally harm systems or users may fall outside these safe-harbor expectations.
6. Response timeline
CEYO will make reasonable efforts to respond to vulnerability reports in a timely manner.
Typical targets are:
• acknowledgment within 3 business days
• initial assessment within 10 business days
• status updates during review and remediation when reasonably available
These are targets, not guarantees, and may vary depending on severity, complexity, and operational conditions.
7. Coordinated disclosure
CEYO supports coordinated disclosure between researchers and system operators.
Researchers are asked to allow reasonable time for investigation and remediation before public disclosure. Public disclosure is generally encouraged after remediation is complete or after an agreed timeline is reached.
Where appropriate, CEYO may credit researchers who responsibly disclose vulnerabilities.
8. Legal boundary
This disclosure policy does not authorize unlawful access, data exfiltration, destructive testing, privacy violations, or activity outside the defined program scope.
If you are uncertain whether a proposed research activity is permitted under this policy, contact CEYO before proceeding.