Responsible Disclosure Policy
As a cybersecurity firm, we welcome reports from the security community. This policy explains how to report a vulnerability in our website or systems and what you can expect from us.
1. Our Commitment
EIC Limited (“EIC”, “we”, “us”) takes the security of our website, platforms, and the data we hold seriously. We value the work of security researchers and welcome the responsible disclosure of vulnerabilities so we can resolve them before they can be exploited.
If you believe you have found a security vulnerability affecting EIC, we encourage you to report it to us privately using the process below. We commit to investigating all legitimate reports in good faith and will not take legal action against researchers who follow this policy.
2. Scope
This policy applies to vulnerabilities discovered in assets owned and operated by EIC, including:
- The public website at www.eicsecure.com and its subdomains
- The source code published in our public repositories
- Email and DNS configuration for the eicsecure.com domain
If you are unsure whether something is in scope, contact us first at security@eicsecure.com before testing.
3. How to Report a Vulnerability
Email security@eicsecure.com with as much detail as possible. Encrypted (PGP) reports are welcome on request. To help us triage quickly, please include:
- A clear description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- The affected URL, endpoint, parameter, or component
- Any proof-of-concept code, screenshots, or request/response captures
- Your name or handle if you would like to be credited
Please do not include live exploit payloads against third-party data, and do not disclose the issue publicly until we have confirmed it is resolved.
4. What to Expect
When you submit a report in line with this policy, you can expect the following from us:
Acknowledgement
We confirm receipt of your report within 2 business days.
Triage
We validate and assess severity, and provide a remediation timeline within 5 business days of triage.
Updates
We keep you informed of progress through to remediation.
Credit
With your permission, we credit you once the issue is resolved.
We aim to acknowledge every report within 2 business days and to provide a remediation timeline within 5 business days of triage. Complex issues may take longer to resolve; we will keep you informed throughout. We ask that you give us a reasonable period to remediate before any public disclosure, and we are happy to coordinate timing with you.
5. Guidelines for Researchers
To keep testing safe and lawful, we ask that you:
- Act in good faith and avoid privacy violations, data destruction, and service disruption
- Only interact with accounts you own or have explicit permission to test
- Stop testing and report immediately if you encounter personal data, and do not access, copy, or store it beyond what is necessary to demonstrate the issue
- Use only your own test data and accounts; do not pivot to other systems
- Keep the details of any vulnerability confidential until we confirm it is resolved
6. Out of Scope
The following are generally not eligible under this policy and should not be tested:
- Volumetric or application-layer denial-of-service (DoS/DDoS) attacks
- Social engineering, phishing, or physical attacks against EIC staff or facilities
- Findings that require a compromised end-user device, rooted device, or man-in-the-middle position
- Reports from automated scanners without a demonstrated, exploitable impact
- Missing best-practice headers or configuration issues with no proven security impact
- Vulnerabilities affecting outdated or unsupported browsers
7. Safe Harbor
We consider security research and vulnerability disclosure conducted in line with this policy to be authorised. We will not pursue or support legal action against researchers who act in good faith, comply with this policy, and avoid privacy violations and service disruption.
If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorisation known. If in doubt, contact us at security@eicsecure.com before testing.
8. Recognition
EIC does not currently operate a paid bug bounty programme. However, we are grateful for every responsibly disclosed report. With your permission, we are happy to publicly acknowledge your contribution once the issue has been resolved.
This policy is published in machine-readable form at /.well-known/security.txt in accordance with RFC 9116.