Vulnerability Disclosure Policy
1. How to Report a Suspected Vulnerability
If you would like to report a vulnerability or have a security concern regarding Zygon products and services, please email security@zygon.tech. We will respond to you and acknowledge receipt of your report.
Once your report has been submitted, we will work to validate the reported vulnerability and will reach out to you if additional information is required.
2. What we would like to see from you
To help us triage and remediate potential findings, the vulnerability report should:
- Describe the vulnerability, precisely where it was discovered, and the real-world impact.
- Reports from automated scanning tools are not accepted.
- Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).
- Please include one vulnerability per report (unless in an attack chain).
- Don’t report automated scanner results without proof of exploitability.
- Are considered out of scope and will be ignored by our teams: minor vulnerabilities on the marketing website (www.zygon.tech), DNS configuration items.
3. The Zygon team's commitment
To help us triage and remediate potential findings, the vulnerability report should:
- Describe the vulnerability, precisely where it was discovered, and the real-world impact.
- Reports from automated scanning tools are not accepted.
- Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).
- Please include one vulnerability per report (unless in an attack chain).
- Don’t report automated scanner results without proof of exploitability.
- Are considered out of scope and will be ignored by our teams: minor vulnerabilities on the marketing website (www.zygon.tech), DNS configuration items.
We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at Zygon.
4. Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.