Internet Explorer is not supported. For optimal experience, please use Chrome or Edge.

I. Introduction

At EYGA, we place a high priority on our users' security and privacy. In order to better secure our system and help our organization mitigate risk, we support the assistance of security experts and the general public in enabling the disclosure and remediation of vulnerabilities identified within our SaaS program. This document describes our Public Vulnerability Disclosure Program (PVDP).

II. Scope

Security flaws in our primary SaaS application, located at EYGA, and any related online services, applications, or plugins are all included in this program. Please use the proper methods to notify us of any security vulnerabilities that you find.

III. Reporting a Vulnerability

Please utilize our dedicated vulnerability reporting channel eygasupport@ey.com to report any security flaws you find. In your report, please include the following information:

  • A comprehensive explanation of the flaw
  • Procedures to Reproduce the Flaw
  • The full range of foreseeable consequences and risks
  • Any known solutions or workarounds, if possible

IV. Legal Safe Harbor

When you report a security issue to us through our PVDP, we promise to: Keep your submission private. We won't be suing you because we believe you're acting in good faith and are only trying to make us safer. We ask that you give us a fair amount of time to investigate and fix the problem before disclosing any details to the public.

V. Our Commitment

We will promptly confirm our receipt of your report and our investigation into its findings.

  • Examine and confirm the severity of the alleged flaw.
  • Take care of the vulnerabilities that have been confirmed in order of severity.
  • Keep you apprised of our progress until the problem is fixed.

VI. Disclosure Policy

Once the disclosed vulnerability has been fixed, we may, with your permission, publicly acknowledge the vulnerability and your contribution. We will honor your request for anonymity or request that the specifics of the vulnerability not be made public.

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and EYGA will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

VII. Reward Policy

Although we do not have a financial bug bounty program at this time, we do appreciate your support and will give you credit if needed for your efforts to keep our users safe.

VIII. Policy Updates

This policy may be updated at any moment, and we retain the right to do so. Any updates will be posted on our website as well as communicated through any other relevant media.

IX. Contact Us

Please contact us at eygasupport@ey.com if you have any questions about our PVDP.

Thank you for your diligence to make EYGA a more secure platform. Sharing your insights in a responsible manner enables our team to protect our users' personal information. We appreciate your help and hard work.

Approval Summary

The implementation of this Vulnerability Disclosure Program symbolizes our commitment to transparency, collaboration, and continuous improvement in the security arena.

Grantee and Sponsor Portal Usage Disclaimer

AmeriCorps actively monitors this system and software activity to maintain system security, availability, and to ensure appropriate and legitimate usage. Any individual who intentionally accesses a federal computer or system without authorization, and who alters, damages, makes unauthorized modifications to, or destroys information in any Federal interest computer, or exceeds authorized access, is in violation of the Computer Fraud and Abuse Act of 1986 (Public Law 99-474). Any evidence of possible violations of proper use or applicable laws found as a result of this monitoring may be turned over to Corporation Management and law enforcement. Any individual found to be in violation of the system proper use rules or law could be punished with loss of system access, fines, and imprisonment. By proceeding, you hereby acknowledge your agreement with these terms and the system's rules of behavior and consent to such monitoring and informational retrieval for law enforcement and other official purposes.