1. Objective

pontovio operates cloud-based data processing services within the European Union and maintains a risk-based information security program. This Responsible Disclosure Policy defines the controlled process for reporting potential security vulnerabilities and sets clear expectations for external researchers, customers, and partners. The objective is to reduce security risk while preserving confidentiality, service continuity, and regulatory compliance.

2. Scope of Applicability

This policy applies to security vulnerabilities affecting:

• pontovio-operated production environments
• Cloud services, applications, and APIs provided by pontovio
• Identity, authentication, authorization, and data isolation controls
• Infrastructure managed directly by pontovio Explicitly

excluded from scope:

• Denial-of-service (DoS/DDoS) testing or traffic flooding
• Social engineering, phishing, or physical intrusion
• Testing against customer accounts or data without explicit authorization
• Third-party services, libraries, or platforms not operated by pontovio
• Automated scanning that impacts availability or performance

Activities outside scope are considered unauthorized.

3. Vulnerability Reporting Channel

Security issues must be reported confidentially.

Designated contact: security@pontovio.com

Reports should include, where applicable:

• Technical description of the vulnerability
• Affected component or service
• Reproducible steps or proof-of-concept
• Observed or potential impact
• Date and time of discovery

Submission of unnecessary personal data is prohibited.

4. Expected Researcher Conduct

Reporters are required to:

• Act in good faith and in compliance with applicable law
• Minimize testing to what is strictly necessary to confirm the issue
• Avoid accessing, modifying, or exfiltrating data
• Immediately cease testing after confirmation
• Maintain confidentiality until remediation is completed or disclosure is approved in writing

Any action exceeding these boundaries invalidates this policy's protections.

5. pontovio Security Handling Commitments

pontovio commits to the following process controls:

• Initial acknowledgement within 5 business days
• Structured triage and risk assessment
• Remediation prioritization based on severity and impact
• Coordinated communication where disclosure is warranted

pontovio does not operate a public bug bounty program and does not provide financial compensation for vulnerability reports.

6. Disclosure and Communication

pontovio follows a coordinated disclosure model:

• Vulnerabilities remain confidential during investigation and remediation
• Public disclosure is permitted only after:
  • Remediation is completed, or
  • An explicit written agreement on disclosure timing is reached

Unauthorized public disclosure may result in legal action.

7. Legal Safe Harbor (Conditional)

Security research conducted strictly within the boundaries of this policy is considered authorized.

pontovio will not pursue civil or criminal action against researchers who comply with this policy in good faith. This safe harbor does not apply to:

• Violations of EU or national law
• Breaches of confidentiality
• Access to personal data without lawful basis
• Service disruption or abuse

8. Data Protection and Regulatory Alignment

pontovio processes personal data in accordance with:

• GDPR (EU Regulation 2016/679)
• Applicable EU and member state data protection laws

This policy supports pontovio's technical and organizational measures under GDPR Article 32. Vulnerability reports must not introduce additional data protection risks.

9. Policy Governance

This policy is reviewed periodically as part of pontovio's information security governance framework. Updates are published without prior notice.

The current version supersedes all previous versions.

10. Contact

Security-related matters only: security@pontovio.com

All other inquiries must follow standard contractual or support channels.