Vulnerability Disclosure Program

Revised 11 Mar 2026

1. Objective

At Eightfold, we are committed to protecting the security and integrity of our systems, services, and customer data. We recognize the invaluable contributions that the global security community can make. Our Vulnerability Disclosure Program provides an avenue for customers and security researchers to engage in good-faith security research and to disclose vulnerabilities.

2. Program Rules

To ensure the security and integrity of our systems and data, all participants must adhere to the following guidelines:

• Stay within the scope defined in section 3 of this policy and respect all out-of-scope boundaries.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only test to the extent necessary to confirm a vulnerability’s presence.
• You are permitted to use only accounts that you own or have explicit permission to use.
• Do not access, modify, or store data that is not your own, and refrain from any form of social engineering, phishing, physical attacks, or activities that violate the privacy or trust of others.

If you identify a significant vulnerability, you should stop your test, notify us immediately at security@eightfold.ai, and not disclose this data to anyone else.

3. Scope

The scope of testing is exclusively limited to our web application accessible at volkscience.eightfold.ai/careers

Any service not listed, including any connected services, are excluded from scope and are not authorized for testing. This includes any subdomains of *.eightfold.ai or our corporate site located at eightfold.ai.

Vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy. If you aren’t sure whether a system is in scope or not, contact us at security@eightfold.ai. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

4. Reporting

When reporting a vulnerability, please send your report details to security@eightfold.ai. Your submission should include a description of the vulnerability, step-by-step instructions to reproduce the vulnerability, and any relevant evidence. Screenshots, videos, or proof-of-concept code is extremely helpful and will allow us to respond more quickly. Do not submit a high volume of low-quality reports.

Please submit one vulnerability per report unless multiple issues are directly related. Include your contact information so we can communicate with you throughout the remediation process.

We are will work to adhere to the following response times:

• Initial Acknowledgment: Within three (3) business days
• Triage and Verification: Within five (5) business days
• Remediation Plan: Communicated within ten (10) business days

5. Disclosure Policy

We believe in coordinated disclosure and any public disclosure of the vulnerability details should be mutually agreed upon. We do not expect indefinite non-disclosure but ask for reasonable time to address issues.

6. Contact

For questions or clarifications send an email to security@eightfold.ai.

7. Legal Terms

We reserve the right to modify or terminate this program at any time. Changes will be updated in this policy document. Continued participation after changes constitutes acceptance of the new terms.

• As you participate in this Program, you will comply with all laws applicable to you, and not disrupt or compromise any data beyond what this Program permits.
• You are not currently an Eightfold employee or contractor, were not an Eightfold employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.
• We provide no warranties and disclaim liability for any damages.
• You are responsible for any taxes or expenses resulting from rewards.All decisions regarding rewards and eligibility are final.
• You must not be on any sanctions lists or reside in countries under U.S. or other applicable government embargoes. We cannot reward you if you are on any U.S. sanctions list, or reside in any U.S.-sanctioned country or region.

Legal Safe Harbor: We consider activities conducted consistent with this policy to be authorized conduct, and you have our permission to perform good-faith security research and vulnerability disclosure. We will work with you to understand and resolve the issue quickly, and Eightfold will not recommend or pursue legal action related to your research so long as you fully comply with this policy. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known. If your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions. These protections apply only if you comply with this policy.

By participating in Eightfold’s Vulnerability Disclosure Program, you acknowledge that you have read, understood, and agreed to this policy in its entirety.