1. Introduction and Purpose

A & C Christofi Ltd (“ACC CY,” “we,” “us,” or “our”) recognizes the valuable role that security researchers play in identifying potential vulnerabilities in our digital infrastructure. This Vulnerability Disclosure Policy establishes a clear framework for reporting and addressing security vulnerabilities while providing legal safe harbor for researchers acting in good faith.

“Good faith” means that your security research is intended to improve the security and resilience of ACC CY systems, does not harm ACC CY or its clients, and is conducted without malicious intent. Good-faith research must avoid privacy violations, data alteration, service degradation, or access beyond what is necessary to identify the vulnerability.

2. Scope and Coverage

2.1. In-Scope Systems

This Policy applies to the following ACC CY systems and services:

• Primary website: acccyp.com and all associated subdomains
• Client portals and secure web applications
• Mobile applications published by ACC CY
• Public-facing API endpoints and web services
• Cloud infrastructure under ACC CY’s direct control

2.2. Out-of-Scope Systems

The following are explicitly excluded from this Policy:

• Third-party services and applications
• Systems not owned or operated by ACC CY
• Physical security infrastructure
• Social engineering targets

ACC CY makes no representation of ownership over third-party components, frameworks, hosting environments, or SaaS platforms integrated into our systems.

3. Authorization and Legal Safe Harbor

3.1. Authorized Security Research

We consider security research conducted in accordance with this Policy to be authorized. If you make a good-faith effort to comply with these guidelines during your security research, we will consider your activities authorized and will not pursue legal action against you.

3.2. Safe Harbor Provisions

Research conducted under this Policy is:

• Authorized under applicable computer security and data protection laws
• Exempt from certain restrictions in our Terms & Conditions
• Granted protection from legal claims related to good-faith security testing

3.3. Eligibility Requirements

You must be at least 18 years old and not subject to any applicable trade or financial sanctions. Participation is prohibited for individuals resided in countries or regions restricted by EU, UN, UK, or U.S. sanctions. Participation by individuals failing to meet the criteria(s) is strictly prohibited.

4. Security Research Guidelines

4.1. Permitted Testing Methods

Security researchers may:

• Test in-scope systems for potential vulnerabilities
• Conduct automated vulnerability scanning with reasonable rate-limiting
• Perform manual testing to identify security weaknesses
• Share vulnerability information exclusively with ACC CY through designated channels
• Conduct testing within reasonable limits and avoid excessive automated requests, brute-force attempts, or traffic patterns that could impair system availability.

4.2. Required Conduct

Researchers must:

• Make every effort to avoid privacy violations and ensure compliance with applicable data protection laws, including GDPR and Cyprus Law 125(I)/2018
• Minimize impact on system performance and availability
• Refrain from accessing, modifying, or destroying data
• Immediately cease testing upon identifying a vulnerability
• Maintain confidentiality of all vulnerability information
• Refrain from copying, transmitting, downloading, or storing any personal data encountered during testing, except for metadata strictly necessary to demonstrate the vulnerability.

4.3. Strictly Prohibited Activities

The following activities are never permitted:

• Accessing, modifying, or destroying data belonging to others
• Social engineering, phishing, or impersonation attacks
• Physical testing of ACC CY facilities or personnel, or devices
• Denial of service (DoS) attacks or system degradation
• Demanding payment or compensation for vulnerability reports
• Automated scanning that negatively impacts system performance

4.4. Data Protection Obligations

If personal data is inadvertently accessed during testing, researchers must:

• Immediately stop testing
• Not save, copy, transfer, or store any personal data
• Promptly report the exposure to ACC CY through designated secure channels
• Permanently delete any accidentally collected data once reported

And, comply with all applicable data protection laws, including GDPR and Cyprus data protection regulations, when handling any such information.

5. Vulnerability Reporting Process

5.1. Submission Requirements

All vulnerability reports must be submitted to: security@acccyp.com

Reports should include:

• Clear description of the vulnerability and potential impact
• Detailed, step-by-step instructions to reproduce the issue
• Specific locations and components affected (URLs, parameters, etc.)
• Proof-of-concept code, screenshots, or video evidence
• Your contact information for follow-up communication
• Technical environment details (browser, OS, tools used)

5.2. Encryption Recommendations

For sensitive vulnerability information, we recommend:

• Using PGP encryption for detailed technical information
• Secure communication channels for ongoing discussions
• Protecting proof-of-concept code and exploit details

6. Our Commitment to Researchers

6.1. Response and Communication

We commit to:

• Acknowledging receipt of your report within 3 business days
• Providing regular updates on our investigation progress
• Working collaboratively to validate and understand reported issues
• Notifying you when the vulnerability has been resolved
• Maintaining open communication throughout the process

6.2. Resolution Timeframes

• Initial Assessment: Within 5 business days
• Validation: Within 10 business days for critical issues
• Remediation: Based on severity and complexity
• Follow-up: Ongoing until complete resolution

7. Coordinated Vulnerability Disclosure

7.1. Public Disclosure Guidelines

We support responsible public disclosure and request that researchers:

• Allow us a reasonable time to address vulnerabilities before public disclosure
• Coordinate disclosure timelines with our security team
• Refrain from publishing detailed technical exploit code
• Work with us to ensure appropriate mitigations are in place

7.2. Confidentiality Period

We request that researchers maintain confidentiality for:

• 90 days after our acknowledgement of receipt
• Or until public disclosure is mutually agreed upon
• Extended periods for complex remediation requirements

7.3. Non-Disclosure of Exploit Code

Researchers must not publicly release exploit details, proof-of-concept code, payloads, or reproduction steps that could enable malicious use before remediation is fully completed.

8. Scope-Specific Guidance

8.1. Web Application Testing

• Focus on application-layer vulnerabilities
• Avoid impacting other users or system performance
• Use test accounts where possible

8.2. API Testing

• Respect rate limits and API guidelines
• Use appropriate testing methodologies
• Avoid excessive data retrieval or modification

8.3. Mobile Application Testing

• Test only applications published by ACC CY
• Respect user privacy and data protection
• Follow mobile platform security testing best practices

9. Recognition and Appreciation

9.1. Researcher Recognition

While we do not offer monetary rewards, we:

• Publicly acknowledge researchers (with permission)
• Provide letters of appreciation for significant findings
• Maintain a security researcher hall of fame
• Offer professional references where appropriate

ACC CY does not provide financial rewards, bounties, or compensation for vulnerability reports, and participation is strictly voluntary.

9.2. Special Considerations

We particularly value research that identifies:

• Critical vulnerabilities in new systems
• Novel attack vectors or techniques
• Vulnerabilities with significant business impact (of adverse nature)
• Issues affecting multiple systems or components

10. Contact and Support

10.1. Primary Contact

ACC CY Security Team
Email: security@acccyp.com
This address is for security reports only.

10.2. Emergency Contact

For critical or time-sensitive issues:

• Use “[URGENT]” in email subject line
• Provide immediate contact information
• Describe the critical nature of the finding

10.3. General Inquiries

For non-security related questions:

• General inquiries: info@acccyp.com
• Client services: clients@acccyp.com
• Technical support: support@acccyp.com

11. Policy Administration

11.1. Review and Updates

This Policy is:

• Reviewed annually by the Security Committee
• Updated to reflect contemporary changes in technology and threats
• Communicated to relevant stakeholders
• Version controlled with changed history

11.2. Compliance and Enforcement

• All security research must comply with this Policy
• Violations may result in the revocation of authorized status
• Serious violations may be reported to the appropriate authorities
• Good faith compliance is always considered

11.3. International Considerations

This Policy acknowledges:

• Varying legal frameworks across jurisdictions
• International cybersecurity standards
• Cross-border vulnerability disclosure norms
• Global security research community practices

Contact Information

Security Team
A & C Christofi Ltd
Email: security@acccyp.com
Address: 37 Nicou and Despinas Pattichi Avenue, Evi Court, 3rd Floor, Offices 302–303, Limassol, CY-3071, Cyprus

Response Service Commitment

• Acknowledgement: 3 business days maximum
• Initial Assessment: 5 business days
• Critical Issue Resolution: Accelerated timeline
• Regular Updates: Throughout the remediation process

This Vulnerability Disclosure Policy was formally adopted on October 11, 2024, and becomes effective on 1 December, 2025. It represents our commitment to collaborative security and replaces all previous vulnerability disclosure practices. This Policy may be updated to reflect evolving security requirements and industry best practices.