Skip to content

Legal · version 2026-01 · effective 2026-01-01

Responsible disclosure policy

Cyber Protocol welcomes good-faith reports of security vulnerabilities in our products, our infrastructure, and our customer-facing surfaces. This policy explains how to report, what we promise in return, and the timelines we work to.

1. Where to report

Email security@cyber-protocol.org with a clear description of the issue, the URL or surface affected, and reproduction steps. If the finding is sensitive, please request our PGP key in your first message; we will reply with the key fingerprint and a key ID for further correspondence.

2. Safe harbour

We will not pursue civil action or initiate a complaint to law enforcement against researchers who comply with this policy. To comply, you must:

  • Test only against your own accounts, or with explicit written authorisation from an affected account-holder;
  • Stop the moment you have proven the vulnerability — do not access, modify, or exfiltrate data beyond what is strictly necessary to demonstrate impact;
  • Refrain from running denial-of-service tests, social-engineering against our staff, or physical-security tests, unless agreed in writing in advance;
  • Refrain from disclosing the issue publicly until our disclosure window (below) has elapsed or we agree on an earlier date.

3. Response timelines

We commit to the following baseline. We will communicate clearly if a specific case requires more time and we will not push you to wait without a substantive reason.

  • Initial acknowledgement: within 2 business days.
  • Triage + severity rating: within 5 business days.
  • Remediation target:
    • Critical: 7 calendar days
    • High: 30 calendar days
    • Medium: 60 calendar days
    • Low: 90 calendar days
  • Public disclosure: 90 days from initial report, or sooner if the fix is shipped and we agree on a coordinated date. We may request a one-time 30-day extension if the issue requires a non-trivial architectural change; we will not request a second extension.

4. Upstream / third-party findings

If during an engagement we discover a vulnerability in software outside our control (e.g. an open-source library, a third-party service we integrate with), we will:

  • Notify the upstream maintainer using their disclosed process;
  • Honour the upstream's disclosure timeline if it is reasonable, or 90 days from our report otherwise;
  • Coordinate with the affected customer on whether and how to publicly attribute the finding.

5. Out of scope

The following are not eligible findings under this policy:

  • Volumetric DoS / DDoS;
  • Social engineering of Cyber Protocol staff or contractors;
  • Physical-security tests of our offices or data centres;
  • Findings in third-party services that are out of our reasonable control (e.g. Stripe, Resend) — report those directly to the affected vendor;
  • Reports generated by automated scanners that do not include a working proof-of-concept.

6. Recognition

We are happy to acknowledge researchers who report material findings on a public hall-of-thanks page (with the researcher's consent and preferred handle). At this time we do not run a paid bug bounty, but we will provide written attestation for use in CVE filings and academic publication.

7. Contact

security@cyber-protocol.org — monitored by the Cyber Protocol security team in Brussels (CET / CEST). Out-of-hours acknowledgement may take up to 24 hours.

This policy is governed by Belgian law. Disputes arising out of this policy are subject to the exclusive jurisdiction of the courts of Brussels. See also our Data Processing Agreement and Privacy Policy.