CVDP

Ampacimon’s Coordinated Vulnerability
Disclosure Policy

1. Our commitment

At Ampacimon, we take cybersecurity seriously. We welcome responsible disclosure of vulnerabilities that may affect the security of our public-facing systems and services.

2. Scope

This policy applies only to:

  • Websites under the ampacimon.com domain.
  • Public APIs exposed by Ampacimon.

All other systems, services, and infrastructure are out of scope.

3. Out of scope

The following activities are strictly prohibited:

  • Denial-of-Service (DoS/DDoS) attacks.
  • Social engineering, phishing, or impersonation of Ampacimon employees or customers.
  • Physical security testing, including access to offices, data centers, or hardware.
  • Automated scanning or brute-force attacks on login portals.
  • Exploitation of third-party services not owned or operated by Ampacimon.
  • Accessing, modifying, or deleting data that does not belong to you.
  • Use of malware, ransomware, or destructive payloads in testing.

Violations of these exclusions may result in legal action.

4. Safe Harbor

Ampacimon supports responsible security research and aligns with the legal framework established by the Centre for Cybersecurity Belgium (CCB).

If you act in good faith and follow this policy:

  • You will not face legal action from Ampacimon.
  • Your report will be treated confidentially.
  • We will collaborate with you to understand and resolve the issue.

To benefit from legal protection under Belgian law, you must also:

  • Limit your actions to what is strictly necessary and proportionate to demonstrate the vulnerability.
  • Avoid any fraudulent intent or malice.
  • Notify Ampacimon and report the vulnerability to the CCB via their vulnerability reporting procedure.

Important: You do not benefit from a general exclusion of liability. Legal protection applies only if you comply with all conditions of this policy and the CCB’s procedure.

5. How to report

Send your report to: security [at] ampacimon [.] com

Include:

  • Affected domain or API endpoint.
  • Detailed description of the vulnerability.
  • Steps to reproduce.
  • Optional: your contact info and public key for encrypted communication.

6. How we treat your report

Once we receive your report, our security team will:

  • Analyze the information provided to assess the nature and severity of the vulnerability.
  • Engage in professional dialogue with you if clarification or further details are needed.

Please note:

  • We do not guarantee follow-up communication after the initial analysis.
  • We do not offer financial compensation, bug bounties, or rewards for submitted reports.

We appreciate your contribution to improving our security posture.

7. Changes to this policy

We may occasionally need to modify or correct our CVD policy. In such a case, no notification whatsoever is guaranteed to be produced by Ampacimon. The researcher is responsible for being aware of the latest policy in place and its requirements. 

8. Confidentiality

For any questions about the confidentiality of your personal data, please check our privacy policy, or you can contact us by:


Last updated on October 3, 2025