Responsible Disclosure Policy

eVigilantes takes security seriously. We welcome responsible disclosure of security vulnerabilities identified in our owned and operated systems and applications. Responsible reporting helps us maintain the confidentiality, integrity and availability of our services.

This policy applies only to assets owned, operated or directly managed by eVigilantes. Testing of third-party systems, client environments or external infrastructure is strictly out of scope.

If you discover a security vulnerability, please report it responsibly by providing: • A clear technical description of the issue • Steps to reproduce the vulnerability • Proof-of-concept where applicable (non-destructive only) • Potential impact assessment Do not: • Exploit vulnerabilities beyond what is necessary to demonstrate impact • Access, modify or exfiltrate user or client data • Perform denial-of-service (DoS/DDoS), brute-force or automated scanning attacks

eVigilantes will not initiate legal action against individuals who: • Act in good faith • Follow this Responsible Disclosure Policy • Avoid privacy violations, data destruction and service disruption This safe harbor does not apply to activities that are malicious, reckless or outside the defined scope.

Initial acknowledgment: within 24 hours Triage and validation: within a reasonable timeframe Critical vulnerability remediation target: within 72 hours, subject to complexity Resolution timelines may vary based on severity and technical constraints.

eVigilantes does not currently offer monetary rewards for vulnerability disclosures. Recognition may be provided at our discretion.