Security

The secure side of eyeo

At eyeo, protecting your data and earning your trust is our top priority. We embed security into every part of our business—from how we build software to how we train our people. Whether you’re a customer, partner, or security researcher, we are committed to transparency, resilience, and continuous improvement.

Security isn’t just a feature—it’s a foundation. Our approach is built around:

  • Security by design: Security is baked into every phase of development and deployment.
  • Proactive defense: We use automation, monitoring, and layered protection.
  • Transparency: We prioritize clear policies and open communication with stakeholders.
  • Resilience: Redundancy, disaster recovery, and business continuity are integral.

Our efforts in securing ourselves and our Partners

We approach security holistically, protecting not only our own infrastructure but also ensuring that our partners and clients benefit from a secure digital ecosystem.

Application security

All of our applications are developed with security by design. We integrate secure development lifecycle (SDLC) practices across our engineering teams, including:

  • Code analysis and in-house security reviews to ensure early detection of vulnerabilities
  • Automated dependency scanning to detect known threats in open-source packages
  • Least privilege principles for access to services and data

Infrastructure security

Our infrastructure is hardened using best practices from cloud-native security:

  • Data encryption both in transit and at rest, using industry-standard algorithms and practices
  • Firewalls, VPCs, and access controls to segment and isolate critical components
  • Real-time threat detection and automated response systems to identify and mitigate anomalies
  • Disaster recovery and backup systems with geographically redundant failover

Security awareness trainings and attack simulations

We cultivate a security-first culture with ongoing education and real-world testing:

  • Mandatory security training for all employees during onboarding and at regular intervals
  • Context-aware phishing simulations to raise awareness and reduce risks

Security policies and governance

Our security strategy is guided by a comprehensive framework of internal policies that govern how we protect data, manage systems, and empower our teams. These policies ensure that security is not only reactive but proactively embedded into every layer of our operations. They are regularly reviewed, updated, and enforced through internal audits and compliance checks, so we stay ahead of evolving threats and industry standards.

Below are examples of key security policies currently in effect at eyeo:

  • Acceptable Use of Assets Policy
  • Access Control Policy
  • Business Continuity and Disaster Recovery (BCDR) Policy
  • Cloud Security Policy
  • Cryptography Policy
  • Data Breach and Data Security Policies
  • Document Control Policy
  • Information Classification, Labeling and Handling Policy
  • Information Security Awareness Policy
  • Physical and Environmental Security Policy
  • Screening and Records Management Policy
  • Secure Software Development Life Cycle Policy

These policies form the foundation of our security governance model, driving consistency, accountability, and resilience across all teams and technologies.

Vulnerability Disclosure Policy

We encourage responsible security research and are committed to working with the community to improve our platform. If you believe you’ve discovered a vulnerability, we want to hear from you.

Reporting a vulnerability

If you believe you’ve found a security issue, please email us at security@eyeo.com with details of the issue, including:

  • Description of the vulnerability, including scope and potential impact
  • Steps to reproduce
  • Supporting artifacts (logs, screenshots, etc.)

Scope

We welcome reports related to:

  • eyeo.com and associated subdomains, excluding services not managed by eyeo
  • adblockplus.org and associated subdomains, excluding services not managed by eyeo
  • blockthrough.com and associated subdomains, excluding services not managed by eyeo
  • Our public APIs and mobile applications
  • Third-party services officially maintained by eyeo

Out of scope

  • Denial-of-service attacks (DoS, DDoS)
  • Social engineering or phishing against staff of eyeo and subsidiaries
  • Physical security of eyeo offices or infrastructure
  • Third-party services not maintained or owned by eyeo

Safe harbor

We support coordinated disclosure and will not pursue legal action against researchers acting in good faith under this policy. You are expected to:

  • Avoid privacy violations and service disruption.
  • Provide us reasonable time to remediate.
  • Respect data integrity and confidentiality.

Acknowledgement and recognition

While we do not run a formal bug bounty program, we may offer recognition or rewards for critical, valid findings on a per-case-basis. Monetary compensation is discretionary and not guaranteed.