Vulnerability Disclosure Policy

Last updated 5/24/2026

At Seygov, a product of Nassau Technologies LLC ("Seygov," "we," "us," or "our"), we take the security of the Seygov platform and related services ("Services") seriously. Because the Services are designed for use by government agencies and may process sensitive public sector data and personal information submitted by members of the public, maintaining a secure platform is a core obligation. This Vulnerability Disclosure Policy ("Policy") establishes a framework for security researchers and responsible parties to report potential security vulnerabilities to us safely, legally, and responsibly. We value the contributions of the security research community and encourage responsible disclosure that helps us protect our Subscribers, their deployed applications, and the members of the public who interact with them.

1. Purpose

The purpose of this Policy is to provide clear guidance to individuals who discover or suspect a security vulnerability in the Seygov platform, and to establish the terms under which such discoveries may be reported to Seygov. This Policy does not grant permission to actively test, probe, or attack the Services. It establishes a responsible disclosure channel for vulnerabilities discovered through incidental or passive observation during authorized use of the Services.

2. Scope

This Policy applies to the following Seygov-owned assets:

  • The Seygov web platform and administrative dashboard;
  • Seygov-owned domains and subdomains;
  • The Seygov API and associated endpoints;
  • Seygov-controlled server infrastructure and hosting environment.

This Policy does NOT apply to and does NOT authorize research or testing of:

  • Applications deployed by Subscribers through the Seygov platform — these are owned and operated by the Subscriber, not by Seygov;
  • Third-party systems, integrations, or services connected to the platform at a Subscriber's direction, including LDAP servers, SMTP servers, or payment processors;
  • Systems, domains, or infrastructure not owned or directly operated by Seygov;
  • Social engineering, phishing, or physical security assessments targeting Seygov personnel, Subscribers, or members of the public;
  • Any system belonging to a government agency, Subscriber organization, or member of the public.

Vulnerabilities discovered in Subscriber-deployed applications or Subscriber-controlled systems should be reported directly to the applicable Subscriber organization. Seygov is not responsible for the security of Subscriber-deployed applications or Subscriber-controlled infrastructure.

3. Safe Harbor for Good-Faith Research

If you comply fully with this Policy when discovering and reporting a vulnerability, Seygov will not pursue legal action against you under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), or similar applicable laws, provided that your research was conducted in good faith, within the scope defined in this Policy, and did not result in harm to Seygov, its Subscribers, or any member of the public.

Seygov considers security research conducted strictly in accordance with this Policy to be "authorized" for purposes of applicable law. Safe harbor under this Policy does NOT apply to:

  • Any action that results in harm, disruption, data loss, or unauthorized access affecting Seygov, its Subscribers, or any member of the public;
  • Unauthorized access to, exfiltration, copying, modification, or destruction of any data, including Subscriber Data or personal information submitted by members of the public;
  • Exploiting a vulnerability beyond the minimum extent necessary to confirm its existence;
  • Extortion, threats, or demands of any kind;
  • Public disclosure of a vulnerability prior to Seygov's remediation and without Seygov's prior written consent;
  • Research conducted outside the scope defined in Section 2 of this Policy.

SEYGOV MAKES NO REPRESENTATIONS REGARDING LEGAL IMMUNITY UNDER LAWS OTHER THAN THOSE EXPRESSLY REFERENCED ABOVE. YOU ARE SOLELY RESPONSIBLE FOR ENSURING THAT YOUR ACTIVITIES COMPLY WITH ALL APPLICABLE FEDERAL, STATE, AND LOCAL LAWS.

4. Prohibited Activities

Regardless of intent, the following activities are strictly prohibited and will not be covered by safe harbor under any circumstances:

  • Accessing, modifying, copying, exfiltrating, or destroying any data that does not belong to you, including Subscriber Data, personal information submitted by members of the public, or Seygov operational data;
  • Intentionally disrupting, degrading, or denying access to the Services for any Subscriber, authorized user, or member of the public;
  • Exploiting a discovered vulnerability to access data, escalate privileges, or perform any action beyond what is minimally necessary to confirm the vulnerability's existence;
  • Using automated scanning tools, brute-force tools, fuzzing tools, or vulnerability scanners against the Services without prior written authorization from Seygov;
  • Conducting denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against the Services or any connected system;
  • Engaging in phishing, social engineering, spam, or any deceptive practice targeting Seygov personnel, Subscribers, authorized users, or members of the public;
  • Testing, probing, or accessing Subscriber-deployed applications, Subscriber-controlled systems, or any government agency's infrastructure;
  • Accessing accounts, records, or data belonging to any Subscriber or member of the public, even if a vulnerability would permit such access;
  • Publicly disclosing any vulnerability, exploit, or related information before Seygov has confirmed remediation and provided written consent for disclosure.

5. Reporting Guidelines

If you discover a potential security vulnerability in the Seygov platform, please report it to Seygov as promptly as possible. When submitting a vulnerability report, please include the following information to the extent available:

  • A clear and detailed description of the vulnerability, including the affected component, endpoint, or feature;
  • Step-by-step instructions to reproduce the issue, including any relevant URLs, parameters, or request/response data;
  • Proof-of-concept code, screenshots, or other supporting evidence demonstrating the vulnerability, if applicable and if such evidence can be provided without accessing unauthorized data;
  • An assessment of the potential security impact, including the type of data or functionality that could be affected;
  • Your name and contact information — anonymity is acceptable if preferred, though providing contact information allows us to follow up with questions or updates.

Vulnerability reports should be submitted through the contact methods provided on the Seygov website. Seygov will acknowledge receipt of your report within seven (7) business days. Please do not disclose the vulnerability publicly or to any third party prior to Seygov's confirmation of remediation.

6. Seygov's Commitments

Upon receiving a valid and complete vulnerability report submitted in accordance with this Policy, Seygov will:

  • Acknowledge receipt of your report within seven (7) business days;
  • Investigate the reported issue in good faith and with reasonable promptness;
  • Provide an estimated timeline for investigation and remediation where practicable, based on the complexity and severity of the issue;
  • Notify you when the reported issue has been investigated and, where applicable, remediated;
  • Credit you publicly for your responsible disclosure contribution, unless you request anonymity or unless circumstances require otherwise.

Seygov does not offer monetary compensation or bug bounties for vulnerability reports at this time. Seygov reserves the right to determine, at its sole discretion, whether a reported issue constitutes a valid vulnerability and the appropriate scope and timeline for remediation.

7. Out-of-Scope Vulnerabilities

The following categories of issues are generally considered out of scope and will not be remediated or recognized under this Policy:

  • Denial-of-service (DoS) or volumetric attack vulnerabilities that require significant infrastructure to exploit;
  • Vulnerabilities that require physical access to Seygov's servers or facilities;
  • Vulnerabilities in third-party libraries, services, or infrastructure outside of Seygov's direct control, unless Seygov's specific implementation introduces the vulnerability;
  • Reports relating to missing security headers or other informational findings that do not present a demonstrable exploitable risk;
  • Reports that are duplicative of issues already known to Seygov or currently under active remediation;
  • Vulnerabilities in Subscriber-deployed applications or Subscriber-controlled systems;
  • Issues that require social engineering, phishing, or physical access to exploit;
  • Theoretical or speculative vulnerabilities without a clear proof of concept or demonstrable impact.

8. Data Handling During Disclosure

If in the course of discovering a vulnerability you inadvertently access, observe, or obtain any Subscriber Data, personal information, or other data that does not belong to you, you must:

  • Immediately cease any further access to such data;
  • Not copy, retain, transmit, or use such data for any purpose;
  • Immediately notify Seygov of the inadvertent access as part of your vulnerability report;
  • Cooperate fully with Seygov in assessing the scope of any inadvertent access.

Failure to comply with these requirements will result in the loss of safe harbor protections under this Policy and may result in legal action.

9. Legal Compliance

Nothing in this Policy permits you to violate any applicable federal, state, or local law. You must comply with all applicable laws when conducting any security research, including but not limited to the Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Electronic Communications Privacy Act, and any applicable state cybercrime or data protection laws. Seygov's safe harbor commitment does not extend to violations of laws not expressly referenced in this Policy.

10. Indemnification

You agree to indemnify, defend, and hold harmless Seygov and its officers, directors, employees, agents, contractors, affiliates, successors, and assigns from and against any and all claims, demands, actions, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (a) your failure to comply with this Policy; (b) your unauthorized access to or use of the Services; (c) any harm caused to Seygov, its Subscribers, or any member of the public as a result of your actions in connection with vulnerability research or disclosure; or (d) your violation of any applicable law in connection with security research activities.

11. Changes to This Policy

Seygov reserves the right to update or modify this Vulnerability Disclosure Policy at any time at its sole discretion. Updated versions of this Policy will be posted on the Seygov website with a revised effective date. It is your responsibility to review this Policy before conducting any security research or submitting any vulnerability report.

12. Entire Agreement

This Policy, together with Seygov's Terms and Conditions, Privacy Policy, Security & Compliance Statement, Data Processing Addendum, Cookie Policy, and Acceptable Use Policy, constitutes the entire agreement between you and Seygov regarding vulnerability disclosure. This Policy supersedes all prior or contemporaneous agreements, communications, representations, or understandings, whether oral or written, relating to vulnerability disclosure.

13. Contact Information

To report a suspected security vulnerability, please contact Seygov through the security contact methods provided on the Seygov website. Please do not publicly disclose vulnerability details prior to receiving written confirmation from Seygov that the issue has been remediated.