Responsible Disclosure Policy

1. Introduction

EasyAudit is an AI-powered compliance automation platform that helps organizations prepare for and achieve security certifications including SOC 2, ISO 27001, HIPAA, and others. The security of our platform, our customers' data, and the broader internet community is a top priority.

We recognize that independent security researchers play a valuable role in internet security. This policy outlines how to report potential security vulnerabilities to EasyAudit, what you can expect from us, and what we ask of you in return.

2. Scope

This policy applies to vulnerabilities discovered in the following assets owned and operated by EasyAudit:

The following are explicitly out of scope:

• Third-party services and integrations (e.g., Vercel, Supabase, AWS, GCP, GitHub) — report vulnerabilities in those services directly to the respective vendor
• Social engineering, phishing, or physical attacks against EasyAudit employees or offices
• Denial-of-service (DoS/DDoS) attacks
• Automated scanning that generates significant traffic or degrades service availability
• Findings from applications or systems not owned by EasyAudit

3. How to Report a Vulnerability

Please send your report via email to:

security@easyaudit.ai

If you need to transmit sensitive information, please request our PGP public key by emailing the address above.

To help us evaluate and respond to your report quickly, please include the following details:

1. A clear description of the vulnerability and its potential impact
2. Detailed steps to reproduce the issue, including URLs, request/response data, screenshots, or proof-of-concept code
3. The type of vulnerability (e.g., XSS, SQL injection, IDOR, authentication bypass, SSRF)
4. Any tools or scripts used during discovery
5. Your assessment of severity (e.g., using CVSS 3.1)
6. Your name and contact information (if you wish to be credited)

4. What to Expect from Us

We will work with you in good faith and keep you informed throughout the remediation process.

5. Safe Harbor

EasyAudit will not pursue legal action against security researchers who discover and report vulnerabilities in good faith and in accordance with this policy. Specifically:

• We consider research conducted under this policy to be authorized and will not initiate legal action against you for circumventing technology measures under the DMCA or similar laws
• We will not file a complaint with law enforcement against you for your research activities conducted in compliance with this policy
• If a third party initiates legal action against you for activities conducted in accordance with this policy, we will make reasonable efforts to make it known that your actions were authorized

This safe harbor applies only to legal claims under EasyAudit's control and does not bind independent third parties.

6. Researcher Guidelines

To remain within the scope of this policy, we ask that you:

1. Act in good faith and avoid actions that could harm EasyAudit, our customers, or our services
2. Do not access, modify, delete, or store data belonging to other users; use only your own test accounts
3. Stop testing and report immediately if you encounter customer data or personally identifiable information (PII)
4. Do not perform denial-of-service testing, social engineering, spam, or brute-force attacks
5. Do not publicly disclose vulnerability details until EasyAudit has confirmed remediation and provided written consent
6. Provide EasyAudit a reasonable timeframe (minimum 90 days) to address the issue before any public disclosure
7. Comply with all applicable laws and regulations

7. Qualifying Vulnerabilities

Examples of vulnerabilities we are particularly interested in:

• Remote code execution (RCE)
• SQL injection, NoSQL injection, or other injection flaws
• Cross-site scripting (XSS) and cross-site request forgery (CSRF)
• Authentication or authorization bypass (including IDOR)
• Server-side request forgery (SSRF)
• Sensitive data exposure (API keys, credentials, PII leakage)
• Insecure direct object references
• Privilege escalation
• Insecure deserialization
• Business logic flaws with demonstrable security impact

The following are generally not eligible:

• Missing security headers without a demonstrated exploit
• Clickjacking on pages with no sensitive actions
• Self-XSS (requires social engineering to exploit)
• CSRF on unauthenticated forms or logout
• Vulnerabilities in outdated browsers or platforms
• Rate limiting or brute-force issues on non-authentication endpoints
• Information disclosure of non-sensitive data (e.g., server version headers)
• SPF/DKIM/DMARC configuration issues without a demonstrated attack

8. Recognition and Rewards

EasyAudit does not currently operate a paid bug bounty program. However, we deeply value the contributions of security researchers and offer the following:

• A letter of appreciation that can be used for professional references
• Early notification of fixes related to your findings

We regularly evaluate the feasibility of introducing a monetary rewards program and will update this policy accordingly.

9. Compliance Alignment

This responsible disclosure policy supports EasyAudit's commitments under the following compliance frameworks:

• SOC 2 (Type I, 2017 criteria) — Security and Availability Trust Services Criteria
• ISO 27001:2022 — Annex A, Control A.5.1 (Policies for Information Security) and A.8.8 (Management of Technical Vulnerabilities)

This policy is reviewed annually, or more frequently following a significant security event, as part of EasyAudit's broader Information Security Management System (ISMS).

10. security.txt (RFC 9116)

In addition to this policy, EasyAudit publishes a machine-readable security.txt file at:

https://easyaudit.ai/.well-known/security.txt

This file conforms to RFC 9116 and contains our security contact information, disclosure policy link, and PGP key reference.

11. Contact Information

12. Revision History