Responsible Disclosure Policy

Effective Date/Last Updated: January 1, 2020

  • Zipi's security team makes a real difference when it comes to protecting data.

    Please email security@zipi.app to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report the next business day and strive to send you regular updates about our progress. If you're curious about the status of your disclosure, please feel free to email us again. If you want to encrypt your disclosure our email is setup for S/MIME otherwise please message your intent to security@zipi.app and we will arrange other communication mediums.

    Please refrain from requesting compensation for reporting vulnerabilities. If you want we will publicly acknowledge your responsible disclosure. We also try to make the confidential issue public after the vulnerability is announced.

    You are not allowed to search for vulnerabilities on zipi.app itself. Zipi maintains multiple environments for quality assurance and testing. If you want to perform testing please contact us to arrange access to a staging server.
Confidential issues
  • When a vulnerability is suspected or discovered we create a confidential ~security issue to track it internally.
Red Team Rules of Engagement
  • If you want to conduct red teaming against Zipi you will need written permission upfront. You can apply by emailing security@zipi.app your plans and experience. You need to get a written authorization letter from our Directory of Security. While you are engaged in red teaming activities you should coordinate with the Security Team so escalation (law enforcement, etc.) can be avoided. The Security Team will notify the Infrastructure Team as well as the VP of Engineering so that awareness is maintained.
Disclosure Guidelines for Vulnerabilities in 3rd Party Software
  • When a security vulnerability in some 3rd party product is discovered by Zipi team members the following disclosure guideline should apply:Our priority is to get the reported vulnerability fixed. If the 3rd party acknowledges the vulnerability and is working on a patch, we will keep vulnerability details confidential until the issue is fixed. If possible, we will verify the fix before it is being published. In special cases we might release details without a fix to make the public aware. This might, for instance, be the case when a vulnerability is being actively exploited. We aim for a fix within a 90 days deadline. We will treat this as a soft deadline and help to meet the deadline when reporting. We will try to coordinate with the affected 3rd party to have a patch released before we release an advisory.
  • For the safety of our users and community security vulnerabilities are only announced after remediation. We ask that researchers follow our Responsible Disclosure Policy.