united-states-flag.svg flag Eng germany-flag.svg flag De spain-flag.svg flag Spa france-flag.svg flag Fre italy-flag.svg flag Ita
Get a Demo
Product
Solutions
Remote Privileged Access for OT/ICS Third-Party Secure Access IT/OT Alignment Regulatory Compliance Manufacturing Energy & Utilities Data Centers All Industries
Partners
Partner Program Partner Ecosystem Technology Integrations Become a Partner
Resources
News Press Releases Third-Party Reports Case Studies At a Glances Datasheets White Papers Videos
Blog
Company
About Us Careers
Support Search Toggle Search

Vulnerability Disclosure Policy

Introduction

Cyolo is committed to the security of our platform, our customers, and their data. We recognize that independent security researchers play a vital role in strengthening the security posture of internet-facing systems and services. This Vulnerability Disclosure Policy (VDP) explains how security vulnerabilities in Cyolo products may be reported, assessed, and remediated. We are committed to transparency, timely response, and alignment with industry best practices and applicable regulations.

Scope

This policy applies to all Cyolo products and cloud services operated by Cyolo.

The following activities and systems are out of scope under this policy:

  • Third-party services not owned or operated by Cyolo, such as payment processors, analytics platforms, and CDNs. Vulnerabilities in those systems should be reported directly to the applicable vendor.

  • Social engineering, phishing, and physical attacks against Cyolo systems or personnel.

  • Denial-of-service (DoS) and distributed denial-of-service (DDoS) testing.

This policy covers vulnerabilities discovered and reported by customers or disclosed by independent researchers and other third parties.

Reporting Vulnerabilities

Security researchers and users are encouraged to report vulnerabilities responsibly. Reports should include sufficient details to enable Cyolo to reproduce the issue and assess impact.

To assist with the assessment process, please provide the following:

  • A detailed technical description of the vulnerability and how it was discovered.

  • Information regarding the environment (such as specific hardware, software, virtualization environment, product or software versions).

  • Any information regarding whether vulnerability was successfully exploited and steps required to reproduce the issue.

  • Any additional information that may assist with remediation.

Reports can be submitted via email at security@cyolo.io. For sensitive reports, please request our public encryption key.

Any information you receive or collect about Cyolo, its clients, or their employees during the discovery of a suspected vulnerability must be kept confidential and only used in connection with the policy. You may not use, disclose, or distribute any such confidential information, including, but not limited to, information regarding your submission and information you obtain when researching Cyolo sites, without prior written consent from Cyolo.

Response and Remediation

After receiving the report, the Cyolo Security and R&D teams will initiate the response and vulnerability handling process.

  • An email will be sent to confirm that your report has been received. You may expect an acknowledgement email within 1 to 3 business days.

  • Validation and severity assessments will be conducted.

  • A timeframe for investigation and remediation of the vulnerability will be provided. This timeframe will be impacted by the vulnerability severity level (critical/high/medium/low). Severity will be assessed using industry-standard methodologies.

  • We will maintain ongoing communication with the reporter and may include requests for clarification, possible mitigations, remediation process status, public disclosure coordination when appropriate, etc.

Coordinated Disclosure

We follow a coordinated vulnerability disclosure process designed to balance transparency with user protection. Upon validation of a reported vulnerability, we will work with the reporter to agree on a reasonable disclosure timeline.

By default, public disclosure is targeted within 90 days of initial acknowledgment, or sooner if a fix is available. In accordance with applicable regulations, Cyolo may report actively exploited vulnerabilities to relevant authorities within required timeframes. In such cases, or in cases of significant risk to users, we may accelerate disclosure and mitigation efforts. Cyolo may delay public disclosure if necessary to protect customers or ensure effective remediation, in line with responsible disclosure best practices.

In certain cases, Cyolo may coordinate disclosure with relevant authorities, CERTs, or affected partners.

Researchers are requested to refrain from publicly disclosing details of the vulnerability until a fix or mitigation is available, or until the agreed disclosure timeframe has elapsed. We commit to keeping reporters informed throughout the process and to providing appropriate credit where desired.

Safe Harbor

We support and encourage responsible security research conducted in good faith. Activities carried out in accordance with this Vulnerability Disclosure Policy will be considered authorized, and we will not pursue legal action against individuals who identify, report, and help remediate vulnerabilities in a responsible manner.

“Good faith” research means that the researcher:

  • Makes a genuine effort to avoid privacy violations, degradation of user experience, disruption of production systems, and destruction or manipulation of data.

  • Only accesses data that is strictly necessary to demonstrate the vulnerability and does not retain, copy, or disclose any sensitive data.

  • Immediately reports any inadvertently accessed sensitive information and securely deletes it.

  • Does not exploit the vulnerability beyond what is necessary for a proof-of-concept.

Under this policy, we commit that:

  • We will not initiate legal action or refer matters for investigation where research is conducted in compliance with this policy and applicable laws.

  • We will acknowledge receipt of vulnerability reports and provide regular updates on remediation progress.

  • We will work with researchers to understand and resolve issues promptly and transparently.

  • We will provide public recognition to researchers, where desired, once the vulnerability has been resolved and disclosed.

Researchers must comply with all applicable laws and regulations (either federal, state, or other local legislation) in connection with their security research activities or other participation in this VDP.

Nothing in this policy authorizes any activity that is inconsistent with this policy or applicable law. Any person or entity engaging in conduct outside the scope of this policy or in violation of applicable law may be subject to civil or criminal liability.

This policy does not grant permission to access any systems or data beyond what is expressly permitted under this policy. If you are unsure whether a particular action is permitted, please contact us before proceeding.

This Safe Harbor is intended to reduce uncertainty for security researchers and aligns with internationally recognized frameworks and best practices for coordinated vulnerability disclosure.

Prohibited Activities

While Cyolo encourages responsible reporting of vulnerabilities, the following conduct is expressly prohibited:

  • Executing, or attempting to execute, a denial-of-service (DoS) attack against any product or website.

  • Posting, transmitting, uploading, linking to, sending, or storing malicious software or ransomware.

  • Engaging in cyber extortion, including threatening the availability, confidentiality, or integrity of Cyolo data or Cyolo client data unless payment is made.

  • Conducting social engineering against any Cyolo employee, contractor, client, or prospective client, including phishing and any testing that would result in unsolicited email, spam, or messages.

  • Conducting testing outside the scope of this policy or in a manner that disrupts services, degrades user experience, or compromises the security, confidentiality, or integrity of data or systems.

  • Selling, bartering, or otherwise benefiting from a vulnerability or from data that does not belong to the researcher.

  • Downloading, exfiltrating, copying, or otherwise retaining Cyolo data or Cyolo client data that does not belong to the researcher.

  • Deliberately destroying, corrupting, modifying, or attempting to destroy, corrupt, or modify data or information that does not belong to the researcher.

If a researcher inadvertently accesses data that does not belong to them as a result of a vulnerability, the researcher must immediately stop further access, securely delete any locally stored copies unless otherwise required for reporting, and promptly notify Cyolo.

Communication

We will provide regular updates to reporters and affected stakeholders. Critical issues will be communicated promptly. Information about security fixes will be published in version release notes.

Policy Review

This policy is intended to align with ISO/IEC 29147 (Vulnerability Disclosure) and to support compliance with applicable requirements of the EU Cyber Resilience Act (“CRA”). It is subject to periodic review and updates to ensure alignment with industry best practices, evolving threats and regulations.

Version 1.0

Last updated: April 2026