Solutions
Solutions
All in one solution
Overview
Managed XDR
Keep my IT safe 24/7
24/7 Incident Response
Restore business operations
Integrations
Cyber Insurance
Ensure business continuity
Security Awareness
Improve security culture
Eye Log
12 months of EU-native log retention
Industry
All sectors
Logistics
Manufacturing
Professional services
Healthcare
Partners
Partner Network
For Brokers & Risk Advisors
Lower your clients' cyber risk.
For Managed Service Providers (MSP)
Expand your offer with cybersecurity.
Case studies
Customer protection
Jan de Rijk
Logistics
Avi Medical
Healthcare
KeyTec Netherlands
Manufacturing
Van der Most Transport
Logistics
SHG Groep
Healthcare
Zimmer Group
Manufacturing
KlaassenGroep
Construction
GOED Belgium
Healthcare
Plans
Resources
Resources
Blog
News from the front lines
Resource Library
Guides and brochures
Knowledge Base
Customer login
Free Anti-spoofing Tool
Sign up to get started
NIS2 Resource Hub
The latest news around NIS2
Eye Research
Tech blog and real-world incidents
Trend Report 2026
Insights from 630 cyber investigations
Glossary of Terms
An overview of cybersecurity terms
Learning Hub
Understand the building blocks
Webinars & Events
All digital & live events at a glance
Company
About
News
Careers
Contact
Press
Talk to us
Take a tour
Solutions
Back
Solutions
All in one solution
Managed XDR
24/7 Incident Response
Integrations
Cyber Insurance
Security Awareness
Eye Log
Industry
All sectors
Logistics
Manufacturing
Professional services
Healthcare
Partners
Back
Partner Network
For Brokers & Risk Advisors
For Managed Service Providers (MSP)
Case studies
Back
Customer protection
Jan de Rijk
Avi Medical
KeyTec Netherlands
Van der Most Transport
SHG Groep
Zimmer Group
KlaassenGroep
GOED Belgium
Plans
Resources
Back
Resources
Blog
Resource Library
Knowledge Base
Free Anti-spoofing Tool
NIS2 Resource Hub
Eye Research
Trend Report 2026
Glossary of Terms
Learning Hub
Webinars & Events
Company
About
News
Careers
Contact
Press
Book a demo
Incident Hotline

Responsible Disclosure Policy

At Eye, the security of our systems is a top priority. While we strive to maintain a high level of security, we recognize that no system is ever completely secure. If you discover a vulnerability, we encourage you to report it to us responsibly.

We run a Vulnerability Disclosure Program (VDP) on HackerOne. You can submit your findings directly through security@eye.security. For high and critical severity vulnerabilities, we send exclusive Eye swag as a token of appreciation.

Safe Harbor

We welcome and respect the work of security researchers. We consider activities conducted in good faith and in accordance with this policy to be authorised conduct, and we will not take legal action against you.

If a third party initiates legal action against you in connection with activities covered by this policy, we will confirm that your actions were conducted in compliance with this policy. Please note, however, that:

· We cannot authorize security research on third-party infrastructure

· Third parties are not bound by this safe harbor protection

Scope

This policy applies to all Eye-owned or managed systems and services that are accessible via the internet. This includes, but is not limited to, the following assets:

  • Domains:

agent.eye.security

api.app.eyeunderwriting.eu

api.control.eye.security

api.integrations.eye.security

api.portal.eye.security

app.eyeunderwriting.eu

apply.underwriting.eye.security

checker.apps.eye.security

control-plane.eye.security

eye-auth.apps.eye.security

guardpost.eye.security

mdr-dashboard.apps.eye.security

onboarding.eye.security

portal.eye.securityresearch.eye.security

tiramisu.eye.security

with-coffee.tiramisu.eye.security

  • IP ranges and infrastructure directly managed by Eye

  • Self-hosted services, cloud infrastructure, and APIs under Eye’s control

Out of scope:

  • Systems owned by customers or vendors

  • Our marketing websites, including (www.)eye.security

  • Third-party SaaS platforms not hosted or managed by Eye, even if they use a domain owned by Eye

  • Missing Security Headers and Email Security vulnerabilities

If you're unsure whether an asset is in scope, please contact us at security@eye.security.


Out-of-scope Vulnerabilities

The following are considered out of scope and will not be eligible for recognition:

  • CSRF without demonstrable impact

  • Logout CSRF

  • Password policy issues

  • SPF/DKIM/DMARC and similar e-mail policy misconfigurations

  • Clickjacking

  • Missing security headers without direct exploitability

  • Open redirects

  • Self-XSS

  • Banner disclosures

  • Open ports without associated vulnerabilities

  • Testing third-party SaaS platforms

  • Social engineering or physical intrusion

  • Credential stuffing or brute-force attacks

Reporting Guidelines

Please report vulnerabilities via our HackerOne VDP or email us at security@eye.security (PGP available on our website).

Reports should include:

  • A clear description of the vulnerability

  • Steps to reproduce Affected URLs or IPs

  • Proof of concept (if applicable)

Research Guidelines

We ask that you:

  • Respect the privacy of others and avoid accessing or destroying data beyond what is strictly necessary to confirm the vulnerability

  • Limit exploitation of what is necessary to demonstrate the vulnerability

  • Stop testing immediately and notify us if you encounter sensitive data (i.e. company or customer data)

  • Allow us a reasonable amount of time to remediate reported vulnerabilities before disclosing them publicly or to third parties

  • Refrain from discussing vulnerabilities (including resolved ones) outside this program without express written consent

  • Focus on meaningful findings; avoid submitting high-volume, low-quality reports

What You Can Expect from Us

  • Acknowledgment of your report within 5 business days

  • Transparent communication throughout the remediation process

  • Coordination with relevant authorities (e.g., NCSC-NL) if needed

  • Your identity will remain confidential unless you give permission to share it

Questions

Questions regarding this policy may be sent to security@eye.security. We also invite you to contact us with suggestions for improving this policy.