Vulnerability Reporting

To report a security vulnerability (bug bounty):

We only accept vulnerabilities with a CVSSv3 score of 5.0 or higher via email.

Your submission should include:

• Detailed instructions for reproducing the bug (Proof of Concept);

• A screen capture of the bug execution on a Zapiet resource, either attached or linked;

• Relevant reference links and associated CVEs.

Disclaimer: Any external testing that disrupts the Confidentiality, Integrity, or Availability of Zapiet assets without prior agreement will be considered unlawful, and Zapiet may pursue legal action.

To report an issue that has a security impact, please report to: vulnerabilities@zapiet.com

Once a vulnerability report is received, Zapiet will acknowledge receipt within 3 business days and take the following steps to address the issue:

• Zapiet will assess and verify the validity of the reported vulnerability.

• The vulnerability will be classified by Zapiet according to its potential impact and severity.

• Based on this assessment, Zapiet will create a remediation plan and work to implement a fix. In most cases, Zapiet aims to prepare and publish advisories for newly identified vulnerabilities within approximately 60 days of verification.

• For vulnerabilities classified as Low Impact—those that would result in negligible consequences of production environments, are isolated to a single instance (such as one website not connected to critical infrastructure), or exist only in theoretical or highly unlikely system configurations—Zapiet may not adhere to the 60-day timeline.