Eclypsium is committed to strengthening the security of the global technology ecosystem by responsibly identifying, verifying, and reporting software and hardware vulnerabilities (“security research”) to affected vendors and stakeholders. This policy defines the principles, process, and commitments by which our company and its authorized researchers operate in good faith.

This policy applies to:

• All independent and commissioned vulnerability research by Eclypsium, including public, proprietary, and client-focused projects.
• Testing and reporting activities aimed at improving the security of products, services, and critical infrastructure.
• Excludes activities involving unauthorized physical access, social engineering, or prohibited network intrusion of live production systems.

Researchers acting under this policy will:

• Comply fully with all applicable laws and regulations in relevant jurisdictions.
• Conduct only nonintrusive testing, minimizing risk to systems and data.[1]
• Cease testing immediately upon encountering personal, customer, or proprietary data.
• Avoid service disruption, data manipulation, or privilege escalation beyond what is strictly required for validation.
• NOT exploit vulnerabilities beyond proof-of-concept nor exfiltrate data in any form.
• NOT perform social engineering, physical access tests, or denial-of-service attacks.

• Notify affected vendor(s) within 7 business days of initial vulnerability validation.
• Vendors are requested to acknowledge within 14 days and given 90 days for patching/remediation before public disclosure, unless the risk level requires adjustment.
• Extensions to the timeline may be considered for complex remediations if justified.
• All communication must use secure, encrypted channels (e.g., PGP email or web form) and may involve coordination with Computer Emergency Response Teams (CERTs) or regulatory authorities.

• Public disclosure is deferred until a patch/fix is available, wherever feasible.
• Disclosures include technical summaries, advisories, CVE details, and mitigation guidance unless specifically requested otherwise by affected parties.[1]
• Sensitive data is never released; exploit code may be published only after remediation.
• Researchers may engage third-party coordinators (CERT/CC, CISA, FIRST) to resolve vendor or process disputes.

Eclypsium provides Safe Harbor for good-faith research conducted under this policy. If legal action is threatened or initiated in connection with compliant research, we will support researchers by providing documentation and evidence of policy compliance to relevant authorities.

Researchers performing valid coordinated disclosures may, at Eclypsium’s discretion, be publicly acknowledged or offered rewards when applicable.

This policy is governed by Oregon/United States law. Eclypsium does not transfer or export technical vulnerability details or tools in violation of any export control regulations.

All findings and communications remain confidential until coordinated public release, unless required by law or with explicit mutual agreement.