Responsible Disclosure Policy

Last Updated: April 22, 2025

At Zerophia, we take security seriously. We appreciate the efforts of security researchers and the broader community in helping us maintain a high security standard for our users and systems.

This policy provides guidelines for security researchers to report potential security vulnerabilities in our services and systems, and outlines what you can expect from us in return.

Our Commitment

We're committed to ensuring the security of our users' data and our systems. If you've discovered a potential security vulnerability, we appreciate your help in disclosing it to us responsibly.

We will respond to your report within 48 hours and keep you informed as we investigate and resolve the issue.

As a token of our appreciation for helping keep Zerophia and our users safe, we'll acknowledge your contribution (if desired) and may offer rewards based on the severity and impact of the vulnerability.

Reporting a Vulnerability

If you believe you've found a security vulnerability in our systems, we encourage you to notify us through our coordinated vulnerability disclosure process:

  1. Send an email to [email protected] with a detailed description of the vulnerability
  2. Include steps to reproduce the issue, if possible
  3. Include the potential impact of the vulnerability
  4. Include your name and contact information for follow-up questions

To protect our users, please do not publicly disclose the issue until we have had a chance to address it.

Scope

This policy applies to all Zerophia-owned systems and services. The following are in scope:

  • zerophia.com and all subdomains
  • Zerophia API endpoints
  • Zerophia web and mobile applications
  • Any other systems or services clearly owned and operated by Zerophia

Responsible Testing

When testing for vulnerabilities, please follow these guidelines:

  • Do not attempt to access or modify other users' data
  • Do not perform testing that could impact the reliability or integrity of our services
  • Do not use automated vulnerability scanning tools without prior permission
  • Do not attempt social engineering of our employees or contractors
  • Do not attempt physical security breaches of our facilities
  • Only test against test accounts you own or accounts you have explicit permission to test

Safe Harbor

We will not pursue civil action or initiate a complaint to law enforcement for security research conducted in accordance with this policy. We consider activities conducted in alignment with this policy to be "authorized" under the Computer Fraud and Abuse Act.

Note that we cannot authorize security testing on behalf of third parties (such as cloud providers). It is your responsibility to ensure you have appropriate permission for testing any third-party systems.

Contact

If you have any questions about this policy or would like to report a security issue, please contact us at [email protected].