Security Policies#Last update: Jun 25, 2022
You can find information about Zuplo's security & compliance policies in our Trust Center.
Reporting Security Issues#
Zuplo takes the security of our software products and services seriously. We will quickly respond and address any reported security vulnerabilities. For disclosure information see below.
If you believe you have found a security vulnerability in any Zuplo-owned repository, product, or service, please report it to us through coordinated disclosure.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, please send an email to security[@]zuplo.com.
Please include as much of the information listed below as you can to help us better understand and resolve the issue:
- The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
Gold Standard Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. “Good Faith Security Research" is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service (“TOS") and/or Acceptable Use Policies (“AUP") that conflicts with the standard for Good Faith Security Research outlined here.
This means that, for activity conducted while this program is active, we:
- Will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and,
- Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.
You should contact us for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by our policy.
Keep in mind that we are not able to authorize security research on third-party infrastructure, and a third party is not bound by this safe harbor statement.
Zuplo DOES NOT OFFER ANY FORM OF PAYMENT OR BOUNTY for bug reports. Legitimate reports are always appreciated.
Reports are expected to be thorough and contain enough information that Zuplo’s security team can easily duplicate any findings. If specially crafted files are required, they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video. Reports are welcome for issues that cannot be proven but still suggest a serious impact.
- Automated testing is not permitted.
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Email spoofing
- Missing DNSSEC, CAA, CSP headers
- Lack of Secure or HTTP only flag on non-sensitive cookies
- Weak SSL/TLS algorithms or protocols.
- Lack of certificate pinning (improper certificate validation still eligible).
- Best practices violations (password complexity, expiration, re-use, etc.).
- Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues.
- Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability).
- Spam or Social Engineering techniques.
- Bugs that do not represent any security risk.
- Application or server error messages, stack traces.
Zuplo reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting.