Vulnerability Reporting

To report a security vulnerability (bug bounty):

We only accept vulnerabilities with a CVSSv3 score of 5.0 or higher via email.

Your submission should include:

• Detailed instructions for reproducing the bug (Proof of Concept);

• A screen capture of the bug execution on a Zapiet resource, either attached or linked;

• Relevant reference links and associated CVEs.

Disclaimer: Any external testing that disrupts the Confidentiality, Integrity, or Availability of Zapiet assets without prior agreement will be considered unlawful, and Zapiet may pursue legal action.

To report an issue that has a security impact, please report to: [email protected]

Once a vulnerability report is received, Zapiet will acknowledge receipt within 3 business days and take the following steps to address the issue:

• Zapiet will assess and verify the validity of the reported vulnerability.

• The vulnerability will be classified by Zapiet according to its potential impact and severity.

• Based on this assessment, Zapiet will create a remediation plan and work to implement a fix. In most cases, Zapiet aims to prepare and publish advisories for newly identified vulnerabilities within approximately 90 days of verification. Breakdowns of timelines are highlighted below:

  • Critical (CVSS 9.0-10.0): 24 hours - For vulnerabilities posing immediate risk

  • High (CVSS 7.0-8.9): 7 days - For significant security risks

  • Medium (CVSS 4.0-6.9): 30 days - For moderate risk vulnerabilities

  • Low (CVSS 0.1-3.9): 90 days - For limited impact vulnerabilities