CyTrusted Responsible Disclosure Policy

Version 1 – 24/03/2026

1. PURPOSE

CyTrusted is committed to maintaining the security and integrity of its platform, infrastructure, and services.

This Responsible Disclosure Policy describes the process for reporting potential security vulnerabilities affecting:
– The CyTrusted SaaS platform;
– CyTrusted-owned domains;
– Public APIs;
– Public-facing web assets operated by CyTrusted.

We encourage responsible and coordinated disclosure of vulnerabilities.

2. SCOPE

This policy applies exclusively to:
– Systems and services owned or controlled by CyTrusted;
– Production web applications and APIs;
– Official CyTrusted domains.

This policy does not apply to:
– Third-party suppliers monitored through the CyTrusted platform;
– Customer systems;
I- nfrastructure not owned or controlled by CyTrusted.

3. AUTHORIZED TESTING
Testing must comply with the following rules:

You must:
– Act in good faith;
– Avoid privacy violations, data destruction, or service disruption;
– Use only non-destructive techniques;
– Immediately stop testing upon discovery of sensitive data;
– Report findings promptly.

You must not:
– Perform denial-of-service testing;
– Use automated scanning tools that generate excessive traffic;
– Attempt to access data beyond what is necessary to demonstrate a vulnerability;
– Exfiltrate, modify, or delete data;
– Exploit vulnerabilities for any purpose other than validation;
– Conduct social engineering attacks against employees.
– Testing must not degrade platform availability.

4. SAFE HARBOR

CyTrusted will not pursue legal action against researchers who:
– Act in good faith;
– Comply with this policy;
– Report vulnerabilities responsibly and confidentially.

This safe harbor does not apply to:
– Malicious exploitation;
– Unauthorized data access beyond minimal proof-of-concept;
– Disclosure before remediation;
– Violations of applicable law.

5. REPORTING PROCESS

Vulnerabilities should be reported via:
Email: security@cytrusted.eu

Reports should include:
– Description of the vulnerability;
– Affected URL or system;
– Steps to reproduce;
– Impact assessment;
– Proof-of-concept details (non-destructive);
– Contact information.
Encrypted submissions may be made using our public PGP key (if published).

6. RESPONSE COMMITMENT

CyTrusted will:
– Acknowledge receipt within five (5) business days;
– Provide an initial assessment;
– Work toward remediation in a timely manner;
– Notify the reporter when remediation is completed.
– Resolution timelines depend on severity and complexity.

7. CONFIDENTIALITY AND DISCLOSURE

Researchers agree not to publicly disclose vulnerabilities until:
– CyTrusted confirms remediation; or
– A mutually agreed disclosure timeline has passed.
– CyTrusted may coordinate public disclosure where appropriate.

8. THIRD-PARTY SYSTEMS

CyTrusted’s platform may analyze third-party external attack surface information.

This policy does not authorize testing of:
– Systems belonging to CyTrusted customers;
– Third-party suppliers;
– External organizations monitored through the platform.
– Security testing of monitored third parties must be conducted directly with those entities.

9. NO BUG BOUNTY

CyTrusted does not currently operate a bug bounty program.

Submission of a vulnerability report does not create an entitlement to compensation.

10. POLICY UPDATES

CyTrusted may update this policy at any time.

The version in effect at the time of submission shall apply.