At Eummena, the security of our Communication and Information Systems is a top priority, in line our ISO 27001 awarded Information Security Management System (ISMS). 

However, vulnerabilities can never be completely eliminated, despite best efforts. When vulnerabilities are identified and exploited, it puts at risk the confidentiality, integrity or availability of the European Commission's systems and the information processed therein.

The scope of Eummena's Vulnerability Disclosure Policy  targets the protection of the confidentiality, integrity and availability of information. The policy applies to all data, hardware, information, and privacy identification information (PII) and other classes of protected information in any form (physical, electronic, oral etc.) that belongs to or controlled by Eummena. 

This vulnerability disclosure policy describes what systems and types of tests are authorised and how to send vulnerability reports. We encourage you to contact us to report potential security issues in our systems by following this policy.

Vulnerability Disclosure Policy Statement

Eummena, as a company, remains committed to offer our customers and partners top-quality services while ensuring their data and personal information remain secure and protected throughout their interactions with our services.

To that end Eummena is running a best-in-class Responsible Vulnerability Disclosure Program, aiming to enable our customers, associates, alumni, and other stakeholders, to provide information on potentially identified security vulnerabilities on any of our main services.

To guarantee that any disclosure of such weaknesses can be reported responsibly please ensure you are following the following general guidelines :

• All relevant submissions should be made through the vulnerability disclosure form located at the bottom of this page
• Make sure to report any identified vulnerabilities in a timely fashion to ensure quick triage and mitigation from our team of security experts. That way you also get your reward as soon as possible!
• This disclosure program, as well as all vulnerability associated rewards, are solely managed & operated by Eummena in accordance with the published terms & conditions.
• We ask that any identified vulnerabilities remain strictly confidential to safeguard our community of customers and partners and reduce their exposure. All submissions should be made in a confidential fashion through this program submission page and no public disclosure or other form of publication should be made. We reserve our right for withholding rewards or initiating legal action if those conditions are not met
• Any personal data or other confidential information & data coming into your possession or otherwise processed by you, as a result of an identified vulnerability, should promptly be destroyed, immediately after vulnerability submission to ensure the protection of our community’s privacy.
• Finally ensure that any research for vulnerability identification has been performed through lawful means only, refraining from illegally accessing computer systems, user accounts and sensitive information that do not belong to you or that you do not have explicit permission to access by Eummena
• Attempts to use malware or other malicious software, directly contact customers and partners of Eummena or send spam and/or fraudulent email or electronic messages is strictly forbidden under the rules of this program

Scope

You are asked to report on all identified security vulnerabilities, unless they fall under one or more of the categories explained below, which are considered out-of-scope and will not be accepted as legitimate vulnerability submissions by Eummena’s cybersecurity team. Vulnerability types we do not care about include the following:

• HTTP security headers
• Browser cookie security flags
• SSL/TLS & certificate related issues (ex. ciphers, certificate strength etc.)
• Password policy (ex. password complexity, expiration, password reset timeout etc.)
• Session expiration time interval
• Self-XSS
• Error messages - Unless they lead to sensitive data exposure
• Clickjacking issues
• Account lockout policies
• Security control recommendations (firewalls, WAFs etc.)
• Vulnerabilities only relevant to users of legacy/obsolete/out-of-date browsers
• Email server issues - Unless directly exploitable through the web application/API
• Email/Username enumeration (other enumerations are in scope)
• Out-of-date vulnerable third-party libraries (Unless you can demonstrate exploitability of the vulnerability on the web application)

Authorisation

If you are acting in good faith to identify and report vulnerabilities on Eummena systems, while complying with this policy we will work with you to understand and resolve the issues quickly.

Eummena will not pursue legal action related to your activities of identifying vulnerabilities on our systems as long as you follow the guidelines in this policy.

Forbidden activities

The following activities are strictly prohibited, will not be eligible for any rewards and may even result in accounts/IP addresses/clients getting banned from our services altogether:

• Phishing/Social Engineering attacks
• Malware & Malicious software usage
• Denial of Service & Distributed Denial of Service attacks
• IP/port scanning
• Attacking the load-balancers that serve the applications and API endpoints directly
• Attacking the network and/or hosts of the applications and API endpoints directly - unless possible through an application/API vulnerability
• Post-exploitation activities (lateral movement, backdoors, rootkits, scheduled tasks etc.)
• Excessive aggression on automated scanning tools:
  • Always pace your scanning tools to a reasonable amount of concurrent requests against the environment
  • Do not create huge amounts of new database entries via automated means (ex. New accounts) - Only create what is necessary for your testing in a manual or semi-automated manner
  • Do not attempt to bruteforce credentials

Rewards

Rewards are awarded by Eummena, after successful validation of your submission. 

Submissions should be acknowledged within 72 hours by our cybersecurity team, at which point the team will start working to validate your submission. This process will usually take no more than 5 business days but is subject to security team availability and other priorities.

For any further questions about the program and its guidelines please reach out our cybersecurity team at security@eummena.org.

Submission form

All fields are required unless marked optional.